Ticket #516 (new defect)

Opened 15 years ago

Last modified 14 years ago

protect stacks

Reported by: atchertchian Owned by: janguenot
Priority: P3 Milestone: CPS 3.5.7
Component: CPSWorkflow Version: TRUNK
Severity: normal Keywords: stacks


protect stacks

Anybody can change the stack in restricted code by accessing to it directly (even if user cannot manage the stack) : stack = wftool.getStackFor(context, stack_id) stack.push('user:test', 1)

Maybe security settings on the stack (new guards) have to be set on the variable too : empty or edit guards...

Change History

comment:1 Changed 15 years ago by atchertchian

  • Owner changed from bugs@… to ja@…

"Anybody" means anybody who can see the document.

comment:2 Changed 15 years ago by atchertchian

  • Cc bugs@… added

comment:3 Changed 14 years ago by janguenot

  • Version changed from CPS 3.3 branch to TRUNK
  • Milestone changed from unspecified to CPS 3.3.6

comment:4 Changed 14 years ago by janguenot

  • Priority changed from P2 to P3
  • Milestone changed from CPS 3.3.6 to CPS 3.5.0

I think this should be done at CMF level. Protection of the workflow variable according to a given context. Because, remember the stack is stored within a workflow variable and thus is behaving as one.

I'll check if it could be done at DCWorkflow level.

It would be yet another security layer on this framework ;)

Note: See TracTickets for help on using tickets.