Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AccessControlMiddleware Fails to Check Permissions on Parent Nodes #284

Open
walteralmeida opened this issue May 3, 2024 · 0 comments
Open

AccessControlMiddleware Fails to Check Permissions on Parent Nodes #284

walteralmeida opened this issue May 3, 2024 · 0 comments
Labels
Security

Comments

@walteralmeida
Copy link
Collaborator

walteralmeida commented May 3, 2024
edited

We've identified an issue in the AccessControlMiddleware where permissions are checked only at the level of the individual navigation nodes and not cascaded to their parent nodes. This issue arises when trying to access HTML pages located within the ConstructedViews directory.

Current Behavior:
The AccessControlMiddleware determines if a user can access a particular navigation node by invoking goSecurityProvider.AuthorizeNavigationToAsync(navigationNode). This method checks if there is a direct authorization rule associated with the node itself.

Problem:
The method AuthorizeNavigationToAsync does not consider parent node permissions. This means that even if navigation to a parent node is explicitly denied, a user could still potentially access its child nodes directly through the URL, bypassing the intended security restrictions.

Expected Behavior:
The authorization check should include a recursive or cascading check to all parent nodes. If access to a parent node is denied, then all its child nodes should automatically inherit this restriction, making them inaccessible both through the navigation menu and direct URL access.

Current Workaround:
Currently, the navigation menu respects this hierarchy because child nodes are not displayed if a parent node is inaccessible. However, direct URL access to these child nodes remains possible, which is a significant security concern.

To mitigate this in the current version of our application, we advise administrators to explicitly set permission rules on all nodes, including both parents and children. This manual step will help ensure that access restrictions are applied comprehensively until the automated cascading permission check is implemented.

Suggested Actions:
Review and refactor AuthorizeNavigationToAsync to ensure it considers the permissions set on parent nodes.
Implement a cascading permission check that starts from the topmost parent node down to the requested node.
Ensure that these changes are thoroughly tested to prevent access control bypass through direct URL entries.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@walteralmeida