Skip to content
GitLab
Closed
Created by Côme Chilliet@cchillietReporter

Listing objects should check ACL on attributes

Description

When using objects::ls ACL can be checked by sending a parameter but it only does basic acl check, it does not check asked attributes are allowed (this is done in webservice since fd-plugins#5704 (closed) but should be moved to objects::) Also all attributes are allowed in the filter which can lead to information leak as well

FusionDirectory Version

1.3

Steps to Reproduce

  1. Use objects::ls through code or webservice
  2. You can see more info than you should

Expected behavior:

ACL should be respected for returned attributes and filter

Actual behavior:

Too much information is available

Additional Information

We should somehow still allow the use of attributes which are not in the ACL system when the caller has all rights on the given objectType. Operational attributes are also a complicated case.