Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UVE: 🐛 Prevent Read-Only Token Access to Working Content #30991

Open
3 tasks
Tracked by #30598
fmontes opened this issue Dec 19, 2024 · 3 comments · May be fixed by #31068
Open
3 tasks
Tracked by #30598

UVE: 🐛 Prevent Read-Only Token Access to Working Content #30991

fmontes opened this issue Dec 19, 2024 · 3 comments · May be fixed by #31068
Assignees
@KevinDavilaDotCMS
Labels
Merged QA : Needs Internal Team : Scout

Comments

@fmontes
Copy link
Member

fmontes commented Dec 19, 2024
edited
Loading

Problem Statement

Read-only API tokens are incorrectly allowed to access the working content of pages with future date set in the Page API, violating access control policies and potentially exposing unpublished content prematurely.

Objectives

  • Correctly enforce access controls based on user permissions.
  • Ensure that only live content is accessible by read-only tokens.

User Story

As an IT Security staff member, I want to ensure that read-only tokens can only access live content and not any working versions, so we can maintain content integrity and adhere to strict access policies.

Steps to reproduce

  1. Create a page with content in the future
  2. Request that page with the publishDate in the future to see the content and a read only token
  3. The content is returning and it should return a 401

Acceptance Criteria
Preview Give feedback

External Links

[Placeholder for external links to Slack conversations, support tickets, Figma designs, etc.]

Assumptions & Initiation Needs

  • Assumes that the API currently handles different types of tokens with varying access levels.

Quality Assurance Notes & Workarounds

[Placeholder for QA notes]

Technical Details

The API needs adjustments particularly in how permissions are verified for future-dated content requests.

Potential Challenges

  • Ensuring that the fix does not interfere with access rights for other user roles.

Impact on Existing Features

Ensure that permission checks do not negatively impact legitimate user accesses or API response times.
@KevinDavilaDotCMS KevinDavilaDotCMS mentioned this issue Dec 19, 2024
Open
@nollymar nollymar moved this from New to Next 1-3 Sprints in dotCMS - Product Planning Dec 27, 2024
@fabrizzio-dotCMS fabrizzio-dotCMS moved this from Next 1-3 Sprints to In Progress in dotCMS - Product Planning Jan 6, 2025
fabrizzio-dotCMS added a commit that referenced this issue Jan 6, 2025
@fabrizzio-dotCMS
#30991
372b1da
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

PRs:

@fabrizzio-dotCMS fabrizzio-dotCMS linked a pull request Jan 7, 2025 that will close this issue
fix(PageAPI) Permissions Accessing Working Content #31068
Draft
@fabrizzio-dotCMS
Copy link
Contributor

I have been testing different users with “read-only” tokens, and the 401 response is not necessarily expected.
For example:
Take Chris Publisher: remove the back-end role, apply the changes, and ensure they cascade. Now, create a token and access a page. CP can still access the page’s content.

Next, take a user created from scratch, assign only the back-end role, and grant “view” permissions for the site of interest. If you use the token immediately, you’ll get a 401. However, if you apply the changes in cascade, the token will now allow access to pages, and permissions should apply for filtering.

That said, I encountered a bug when filtering content in the “working” state. The issue arises because the construction of one of the objects used for filtering is taking the system user instead of the logged-in user.

@fabrizzio-dotCMS fabrizzio-dotCMS removed a link to a pull request Jan 17, 2025
fix(PageAPI) Permissions Accessing Working Content #31068
Draft
fabrizzio-dotCMS added a commit that referenced this issue Jan 17, 2025
@fabrizzio-dotCMS
#30991
ec6917f
@fabrizzio-dotCMS fabrizzio-dotCMS linked a pull request Jan 17, 2025 that will close this issue
fix(PageAPI) Permissions Accessing Working Content #31068
Draft
@fabrizzio-dotCMS fabrizzio-dotCMS moved this from In Progress to Internal QA in dotCMS - Product Planning Jan 17, 2025
@fabrizzio-dotCMS fabrizzio-dotCMS removed their assignment Jan 17, 2025
@fabrizzio-dotCMS
Copy link
Contributor

These fixes were merged as part of the branch #31072 therefore it can be tested and no additional merge is required

@KevinDavilaDotCMS KevinDavilaDotCMS self-assigned this Jan 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@KevinDavilaDotCMS KevinDavilaDotCMS

Labels
Merged QA : Needs Internal Team : Scout
Projects
dotCMS - Product Planning
Status: Internal QA
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(PageAPI) Permissions Accessing Working Content dotCMS/core
4 participants
@fmontes @nollymar @fabrizzio-dotCMS @KevinDavilaDotCMS