You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the Issue
When an object is instantiated of a type that contains a method (e.g. AcknowledgeableConditionType), and the RolePermissions are set on the instantiated method, the permissions can be bypassed by instead calling the type method.
This is because when the MasterNodeManager validates the request, it validates the roles on CallMethodRequest.MethodId - which does not refer to the concrete method. Then later on if this succeeds, CustomNodeManager2 acquires the concrete MethodState by calling method = source.FindMethod(systemContext, methodToCall.MethodId);. The permissions on this method are never validated.
Is this expected behavior? How is it possible to customize the role permissions for different concrete method nodes?
The text was updated successfully, but these errors were encountered:
Type of Issue
Describe the Issue
When an object is instantiated of a type that contains a method (e.g.
AcknowledgeableConditionType
), and theRolePermissions
are set on the instantiated method, the permissions can be bypassed by instead calling the type method.This is because when the
MasterNodeManager
validates the request, it validates the roles onCallMethodRequest.MethodId
- which does not refer to the concrete method. Then later on if this succeeds,CustomNodeManager2
acquires the concreteMethodState
by callingmethod = source.FindMethod(systemContext, methodToCall.MethodId);
. The permissions on this method are never validated.Is this expected behavior? How is it possible to customize the role permissions for different concrete method nodes?
The text was updated successfully, but these errors were encountered: