Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-3013

review security endpoint rules in access.js

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Expired
    • Affects Version/s: OpenIDM 3.2.0
    • Fix Version/s: OpenIDM 5.0.0
    • Component/s: Module - Authorization
    • Labels:
      None
    • Environment:
      r4923

      Description

      Authorization is handled by access.js file.
      For the /security endpoints, we have this section at this end of the file:

              // Security Management
              {
                  "pattern"   : "security/*",
                  "roles"     : "openidm-admin",
                  "methods"   : "read,create,update,delete",
                  "actions"   : ""
              }
      

      But as far as I can understand, this rule will be matched before by one other that is previously mentioned:

      // openidm-admin can request nearly anything (some exceptions being a few system and repo endpoints)
              {  
                  "pattern"   : "*",
                  "roles"     : "openidm-admin",
                  "methods"   : "*", // default to all methods allowed
                  "actions"   : "*", // default to all actions allowed
                  "customAuthz" : "disallowQueryExpression()",
                  "excludePatterns": "system/*,repo,repo/*"
              },
      

      So, I would propose to modify this last section, and exclude "security" from it:

      // openidm-admin can request nearly anything (some exceptions being a few system and repo endpoints)
              {  
                  "pattern"   : "*",
                  "roles"     : "openidm-admin",
                  "methods"   : "*", // default to all methods allowed
                  "actions"   : "*", // default to all actions allowed
                  "customAuthz" : "disallowQueryExpression()",
                  "excludePatterns": "system/*,repo,repo/*,security/*"
              },
      

      does it make sense?

        Attachments

          Activity

            People

            Assignee:
            andi Andi Egloff
            Reporter:
            laurent.bristiel Laurent Bristiel [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: