[
https://issues.apache.org/jira/browse/CAUSEWAY-3740?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Keir Haywood updated CAUSEWAY-3740:
------------------------------------------
Description: While we currently do prevent users from adding a role to
their ApplicationUser, we do not have a restriction to prevent a user from
adding a user from an ApplicatoinRole. So if they were to guess what a role
is, this might be a backdoor. (was: While we currently do prevent users from
adding a role to their ApplicationUser, we do not have a restriction to prevent
a user from adding a user from an ApplicatoinRole. So if they were to guess
what a role is, this is a backdoor.)
> Fix security perms to prevent users from adding themselves to a role just by
> guessing the role.
> -----------------------------------------------------------------------------------------------
>
> Key: CAUSEWAY-3740
> URL: https://issues.apache.org/jira/browse/CAUSEWAY-3740
> Project: Causeway
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Daniel Keir Haywood
> Assignee: Daniel Keir Haywood
> Priority: Minor
> Fix For: 2.1.0
>
>
> While we currently do prevent users from adding a role to their
> ApplicationUser, we do not have a restriction to prevent a user from adding a
> user from an ApplicatoinRole. So if they were to guess what a role is, this
> might be a backdoor.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
