Ticket #5492 (closed Bug: fixed)
Information disclosure
| Reported by: | ctheune | Owned by: | shh |
|---|---|---|---|
| Priority: | critical | Milestone: | 2.1.3 |
| Component: | Infrastructure | Keywords: | |
| Cc: |
Description
Do you think it's a good idea to allow getting all role assignments for users without login by calling http://plone.org/foundation/computeRoleMap?
Cheers, Christian
Change History
comment:3 Changed 6 years ago by shh
This arguably is a GRUF issue as getLocalRolesForDisplay most certainly should not be public. See GroupUserFolder.py:
# This method normally has NOT to be public ! It is because of a CMF inconsistancy.
# folder_localrole_form is accessible to users who have the manage_properties permissions
# (according to portal_types/Folder/Actions information). This is silly !
# folder_localrole_form should be, in CMF, accessible only to those who have the
# manage_users permissions instead of manage_properties permissions.
# This is yet another one CMF bug we have to care about.
# To deal with that in Plone2.1, we check for a particular permission on the destination
# object _inside_ the method.
security.declarePublic("getLocalRolesForDisplay")
comment:4 Changed 6 years ago by alecm
I'm not sure that code comment is sensible, folder_localrole_form needs to be usable by users who don't have 'Manage users', it needs to be usable by anyone that has a role they might want to share. In a perfect world the form would be a z3 view and none of the internal methods would be accessible TTW, or at least moved to a tool and be docstring-less. For backwards compatibility we can't really have that though, so the fix probably needs to go into GRUF is there a compelling reason that GRUF method can't be protected by a sensible permission?
This happens on all folders and is not plone.org specific...