Announcement

Collapse
No announcement yet.

Vulnerability when using portals

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Vulnerability when using portals

    I have created a portal role with access to the "case" scope only. The permissions are: create - yes, read - own, edit - no, delete - no, stream - own. The portal dashboard has a "My Cases" dashlet.

    When I log into the portal as a user who has only that role mentioned above, the dashlet lists my own cases only, which is correct. But when I open a case and click on the "Cases" link (which is displayed in front of the case title in the headline) I will see a list of all cases from all users. I can even click on a list entry to open that case's detail page. While most of the case details are hidden, I can still see the case title, status, creation date and creation user, so overall I get a view of things which might be confidential.

    A similar, even more sensitive problem occurs when I navigate to my user page and click on the "Users" link in front of my user name in the headline. Then I will see a list of all system and portal users, including login names, real names and email addresses!

    Am I missing something? Is there a way to prevent portal users from accessing these sensitive pages?

  • #2
    Will be fixes very soon. Thanks.

    Comment


    • #3
      It's a recent bug we missed. Now is fixed. The new version is to be released today.

      Comment


      • #4
        Wow, that was a quick fix! Everything works fine now. Thanks!

        Comment

        Working...
        X