Daniel Keir Haywood created CAUSEWAY-3740:
---------------------------------------------
Summary: Fix security perms to prevent users from adding
themselves to a role just by guessing the role.
Key: CAUSEWAY-3740
URL: https://issues.apache.org/jira/browse/CAUSEWAY-3740
Project: Causeway
Issue Type: Bug
Affects Versions: 2.0.0
Reporter: Daniel Keir Haywood
Assignee: Daniel Keir Haywood
Fix For: 2.1.0
While we currently do prevent users from adding a role to their
ApplicationUser, we do not have a restriction to prevent a user from adding a
user from an ApplicatoinRole. So if they were to guess what a role is, this is
a backdoor.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
