Uploaded image for project: 'LAMS Development'
  1. LAMS Development
  2. LDEV-2767

Make sure RedirectAction is not allowing unauthorised access

    Details

    • Type: Task
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4
    • Component/s: General
    • Labels:
      None

      Description

      When working on LDEV-1978 and AccessPermissionFilter it was discovered that security measures used in RedirectAction may not be sufficient.

      The verification is especially needed when Learner is checked if he belongs to specified ToolSession. There were situations when a new NonGroupedToolSession was created on access. This ToolSession contained only one member - the unauthorised user who passes the check anyway, because he *does* belong to that ToolSession.

        Activity

        marcin Marcin Cieslak created issue -
        marcin Marcin Cieslak made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]
        ernieg Ernie Ghiglione made changes -
        Status Resolved [ 5 ] Closed [ 6 ]

          People

          • Assignee:
            marcin Marcin Cieslak
            Reporter:
            marcin Marcin Cieslak
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development