We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v2.4.6
在未授权 AUTO 表单权限的情况下,用户只要拿到在线报表的链接,后缀如:/online/cgreport/1440866683953618945 就可以访问在线报表页面,只不过标签栏显示的是 AUTO在线报表
AUTO在线报表
已经在生产环境造成严重的权限泄露,目前紧急处理把 cgheadid 临时修改掉,希望官方尽快帮忙修复下
用户所属角色并未授权任何 AUTO 菜单:
拿到在线报表链接 /online/cgreport/1440866683953618945 后访问结果:
/online/cgreport/1440866683953618945
The text was updated successfully, but these errors were encountered:
查看了用户权限获取接口发现 online 相关菜单默认都返回? 不需要授权?这跟文档描述不符呀 @zhangdaiscott
文档是这么描述的:
Sorry, something went wrong.
online报表暂时没做权限控制,可以自己做一个拦截器拦截请求id
不止是 Online 报表没做权限控制,是 online 所有 auto 页面全部默认不受权限控制,只要拿到链接,任意角色都可以随意访问,有很严重的权限泄露隐患,目前我已经把 online 报表所有功能重构成手写代码方式了。。 @zhangdaiscott
online表单做了控制
No branches or pull requests
版本号:
v2.4.6
问题描述:
在未授权 AUTO 表单权限的情况下,用户只要拿到在线报表的链接,后缀如:/online/cgreport/1440866683953618945 就可以访问在线报表页面,只不过标签栏显示的是
AUTO在线报表
已经在生产环境造成严重的权限泄露,目前紧急处理把 cgheadid 临时修改掉,希望官方尽快帮忙修复下
截图&代码:
用户所属角色并未授权任何 AUTO 菜单:
拿到在线报表链接
/online/cgreport/1440866683953618945
后访问结果:友情提示(为了提高issue处理效率):
The text was updated successfully, but these errors were encountered: