[GRP-715] secure member search and sort Created: 30/Nov/11 Updated: 07/Dec/11 Resolved: 07/Dec/11 |
|
Status: | Resolved |
Project: | Grouper |
Component/s: | API |
Affects Version/s: | 2.0.1 |
Fix Version/s: | 2.0.2 |
Type: | Bug | Priority: | Minor |
Reporter: | Chris Hyzer (upenn.edu) | Assignee: | Chris Hyzer (upenn.edu) |
Resolution: | Invalid | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Description |
search searching for a member of a group using the member search and sort, you shouldnt be able to see groups you cannot VIEW (or privs which imply VIEW). It now takes the GrouperSession into account when searching and wont return groups which the user isnt allowed to see. Note, we need to somehow allow the user to securely search for them though... under discussion... |
Comments |
Comment by mchyzer [ 07/Dec/11 ] |
This is not true, if you can READ a group, then you will be able to VIEW all its members implicitly, even if you dont have that privilege on the member group object |