Listing objects should check ACL on attributes (#5732) · Issues · fusiondirectory / fusiondirectory

Listing objects should check ACL on attributes

Description

When using objects::ls ACL can be checked by sending a parameter but it only does basic acl check, it does not check asked attributes are allowed (this is done in webservice since fd-plugins#5704 (closed) but should be moved to objects::) Also all attributes are allowed in the filter which can lead to information leak as well

FusionDirectory Version

1.3

Steps to Reproduce

Use objects::ls through code or webservice
You can see more info than you should

Expected behavior:

ACL should be respected for returned attributes and filter

Actual behavior:

Too much information is available

Additional Information

We should somehow still allow the use of attributes which are not in the ACL system when the caller has all rights on the given objectType. Operational attributes are also a complicated case.

### Description

When using objects::ls ACL can be checked by sending a parameter but it only does basic acl check, it does not check asked attributes are allowed (this is done in webservice since fd-plugins#5704 but should be moved to objects::)
Also all attributes are allowed in the filter which can lead to information leak as well

### FusionDirectory Version

1.3

### Steps to Reproduce

1. Use objects::ls through code or webservice
2. You can see more info than you should

**Expected behavior:**

ACL should be respected for returned attributes and filter

**Actual behavior:**

Too much information is available

### Additional Information


We should somehow still allow the use of attributes which are not in the ACL system when the caller has all rights on the given objectType. Operational attributes are also a complicated case.

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.