Uploaded image for project: 'LAMS Development'
  1. LAMS Development
  2. LDEV-2767

Make sure RedirectAction is not allowing unauthorised access

    Details

    • Type: Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4
    • Component/s: General
    • Labels:
      None

      Description

      When working on LDEV-1978 and AccessPermissionFilter it was discovered that security measures used in RedirectAction may not be sufficient.

      The verification is especially needed when Learner is checked if he belongs to specified ToolSession. There were situations when a new NonGroupedToolSession was created on access. This ToolSession contained only one member - the unauthorised user who passes the check anyway, because he *does* belong to that ToolSession.

        Activity

        marcin Marcin Cieslak created issue -
        Hide
        marcin Marcin Cieslak added a comment -
        No issues were found when using RedirectAction.
        It is correctly forbidding access to Learner and Monitor when the user is not a participant of the given lesson.
        Show
        marcin Marcin Cieslak added a comment - No issues were found when using RedirectAction. It is correctly forbidding access to Learner and Monitor when the user is not a participant of the given lesson.
        marcin Marcin Cieslak made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        Hide
        ernieg Ernie Ghiglione added a comment -
        Closing now. Thanks Marcin
        Show
        ernieg Ernie Ghiglione added a comment - Closing now. Thanks Marcin
        ernieg Ernie Ghiglione made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            marcin Marcin Cieslak
            Reporter:
            marcin Marcin Cieslak
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development