Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • fusiondirectory fusiondirectory
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 24
    • Issues 24
    • List
    • Boards
    • Service Desk
    • Milestones
  • Packages and registries
    • Packages and registries
    • Package Registry
    • Container Registry
    • Terraform modules
  • Activity
  • Graph
  • Create a new issue
  • Commits
  • Issue Boards
Collapse sidebar
  • fusiondirectoryfusiondirectory
  • fusiondirectoryfusiondirectory
  • Issues
  • #5732
Closed
Open
Issue created Nov 14, 2017 by bmortier@bmortierMaintainer

Listing objects should check ACL on attributes

Description

When using objects::ls ACL can be checked by sending a parameter but it only does basic acl check, it does not check asked attributes are allowed (this is done in webservice since fd-plugins#5704 (closed) but should be moved to objects::) Also all attributes are allowed in the filter which can lead to information leak as well

FusionDirectory Version

1.3

Steps to Reproduce

  1. Use objects::ls through code or webservice
  2. You can see more info than you should

Expected behavior:

ACL should be respected for returned attributes and filter

Actual behavior:

Too much information is available

Additional Information

We should somehow still allow the use of attributes which are not in the ACL system when the caller has all rights on the given objectType. Operational attributes are also a complicated case.

Assignee
Assign to
Time tracking