From: Adam R. <ada...@de...> - 2007-09-19 09:09:41
|
On Tue, 2007-09-18 at 22:11 -0400, Andrzej Jan Taramina wrote: > Ran into some interesting things with the eXist-based application I've been > working on, which might be bugs or at least areas that need attention: > > 1) If you delete a user then when you try to manipulate any collections/items > that they had created, you can get some weird errors. Shouldn't there be a > way to change the ownership of items/collections to be able to delete a user, > but still keep the data that they put in the database, to prevent such stuff? When removing a user, their resources should revert back to admin:dba, is that not the case? > 2) I've been running a complex xquery using guest, since I'm using the rest > interface/url to initiate the xquery execution from a browser (and there's no > easy way to pass login credentials from the browser when using rest, but > that's another matter). The xquery searches for an xml document (which > happens to create date/time stamp of last time the query was run). It then > either creates a new file or updates the old one with a new last access > timestamp embedded in an element. If the file doesn't exist, then I get a > permissions exception, which makes sense since guest shouldn't be able to > write to the collection. No problem there. Where the real problem lies is > that if the document already exists, guest can update it just fine! That > seems like a huge breach of security, since the file was created by a > different user with write permissions/ownership for the parent collection. > Sounds like a big security bug to me? > > Thoughts? Does the guest user have update permissions on that document or collection? If not the reproducible test should be updating a document as guest when the document has no update permissions for guest. Is that correct? > > > > Andrzej Jan Taramina > Chaeron Corporation: Enterprise System Solutions > http://www.chaeron.com > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2005. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Exist-open mailing list > Exi...@li... > https://lists.sourceforge.net/lists/listinfo/exist-open -- Adam Retter Principal Developer Devon Portal Project Room 310 County Hall Topsham Road Exeter EX2 4QD t: 01392 38 3683 f: 01392 38 2966 e: ada...@de... w: www.devonline.gov.uk |