You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've identified an issue in the AccessControlMiddleware where permissions are checked only at the level of the individual navigation nodes and not cascaded to their parent nodes. This issue arises when trying to access HTML pages located within the ConstructedViews directory.
Current Behavior:
The AccessControlMiddleware determines if a user can access a particular navigation node by invoking goSecurityProvider.AuthorizeNavigationToAsync(navigationNode). This method checks if there is a direct authorization rule associated with the node itself.
Problem:
The method AuthorizeNavigationToAsync does not consider parent node permissions. This means that even if navigation to a parent node is explicitly denied, a user could still potentially access its child nodes directly through the URL, bypassing the intended security restrictions.
Expected Behavior:
The authorization check should include a recursive or cascading check to all parent nodes. If access to a parent node is denied, then all its child nodes should automatically inherit this restriction, making them inaccessible both through the navigation menu and direct URL access.
Current Workaround:
Currently, the navigation menu respects this hierarchy because child nodes are not displayed if a parent node is inaccessible. However, direct URL access to these child nodes remains possible, which is a significant security concern.
To mitigate this in the current version of our application, we advise administrators to explicitly set permission rules on all nodes, including both parents and children. This manual step will help ensure that access restrictions are applied comprehensively until the automated cascading permission check is implemented.
Suggested Actions:
Review and refactor AuthorizeNavigationToAsync to ensure it considers the permissions set on parent nodes.
Implement a cascading permission check that starts from the topmost parent node down to the requested node.
Ensure that these changes are thoroughly tested to prevent access control bypass through direct URL entries.
The text was updated successfully, but these errors were encountered:
We've identified an issue in the AccessControlMiddleware where permissions are checked only at the level of the individual navigation nodes and not cascaded to their parent nodes. This issue arises when trying to access HTML pages located within the ConstructedViews directory.
Current Behavior:
The AccessControlMiddleware determines if a user can access a particular navigation node by invoking goSecurityProvider.AuthorizeNavigationToAsync(navigationNode). This method checks if there is a direct authorization rule associated with the node itself.
Problem:
The method AuthorizeNavigationToAsync does not consider parent node permissions. This means that even if navigation to a parent node is explicitly denied, a user could still potentially access its child nodes directly through the URL, bypassing the intended security restrictions.
Expected Behavior:
The authorization check should include a recursive or cascading check to all parent nodes. If access to a parent node is denied, then all its child nodes should automatically inherit this restriction, making them inaccessible both through the navigation menu and direct URL access.
Current Workaround:
Currently, the navigation menu respects this hierarchy because child nodes are not displayed if a parent node is inaccessible. However, direct URL access to these child nodes remains possible, which is a significant security concern.
To mitigate this in the current version of our application, we advise administrators to explicitly set permission rules on all nodes, including both parents and children. This manual step will help ensure that access restrictions are applied comprehensively until the automated cascading permission check is implemented.
Suggested Actions:
Review and refactor AuthorizeNavigationToAsync to ensure it considers the permissions set on parent nodes.
Implement a cascading permission check that starts from the topmost parent node down to the requested node.
Ensure that these changes are thoroughly tested to prevent access control bypass through direct URL entries.
The text was updated successfully, but these errors were encountered: