Security: allow manage_changeProperties globally
If "Manage properties" permission is allowed for Anonymous, is it a security breach? In other words, is it possible to put manage_changeProperties in a URL? I tried http://www.somewhere.com/somedocument/manage_changeProperties?title=xxx, it run successfully but title remained intact... I need to increment a document property "number of readers". Is it safer to disable "Manage properties" for Anonymous and to assign Proxy role "Manager" to the method that calls manage_changeProperties and increments number of readers? -- Milos Prudek
Milos Prudek wrote:
If "Manage properties" permission is allowed for Anonymous, is it a security breach?
In other words, is it possible to put manage_changeProperties in a URL?
I tried http://www.somewhere.com/somedocument/manage_changeProperties?title=xxx, it run successfully but title remained intact...
Maybe because manage_changeProperties tries to call manage_propertiesForm (IIRC) if REQUEST is not none, which in turn causes an exception and aborts the transaction? If you do that as manager, you'll see that indeed is callable via the web.
I need to increment a document property "number of readers". Is it safer to disable "Manage properties" for Anonymous and to assign Proxy role "Manager" to the method that calls manage_changeProperties and increments number of readers?
I'd say this is obvious, but you can even be more secure by just creating a role with "Manage properties" permission, and assign that as a proxy role... HTH, oliver
I'd say this is obvious, but you can even be more secure by just creating a role with "Manage properties" permission, and assign that as a proxy role...
That sounds very reasonable. Thank you, Oliver! -- Milos Prudek
participants (2)
-
Milos Prudek -
Oliver Bleutgen