Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

APIs do not respect LoggedInSiteUser permissions #16135

Closed
wezell opened this issue Feb 26, 2019 · 3 comments

Comments

@wezell
Copy link
Contributor

commented Feb 26, 2019

You can see this here by curling a piece of content that has only System.LoggedInSiteUser permissions - it should not be anonymously available.

curl https://demo.dotcms.com/api/content/id/e28708f8-e296-4995-be50-763649c6fbd4

This happens because our WebResource sets user to AnonUser if no user is found, which can gum up some of the permission checks.

wezell added a commit that referenced this issue Feb 26, 2019

@wezell wezell added this to the Cody Current milestone Apr 9, 2019

@jgambarios

This comment has been minimized.

Copy link
Contributor

commented Apr 10, 2019

PR: #16353

jgambarios added a commit that referenced this issue Apr 10, 2019

@bryanboza bryanboza added this to CODY in QA Apr 11, 2019

@bryanboza

This comment has been minimized.

Copy link
Contributor

commented Apr 11, 2019

After test the last changes we need some improvements here:

@bryanboza bryanboza moved this from CODY to In Review in QA Apr 11, 2019

@bryanboza

This comment has been minimized.

Copy link
Contributor

commented Apr 12, 2019

After discuss my comment seems that 403 is ok, Fixed tested on master// Postgres // FF

@bryanboza bryanboza moved this from In Review to Done in QA Apr 15, 2019

@wezell wezell closed this Apr 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.