Details

    • Severity:
      Security
    • Steps to reproduce:
      Hide
      Steps to reproduce:
      1. Ingest a video, publish it to engage and set the access policy to private (role ROLE_USER_ADMIN has read access).
      2. Create a user with role ROLE_USER (as is the case with LTI user)
      3. Login as this user (e.g. in Engage UI)

      Actual Results: This user can access the ingested video.

      Expected Results: This user has no access to the video.

      Workaround (if any): none

      Problem:
      The problem lies in the query that is send to Solr:

          `"*:* AND oc_organization:mh_default_org AND (oc_acl_read:ROLE_USER_TEST OR oc_acl_read:ROLE_ANONYMOUS OR oc_acl_read:ROLE_USER) AND -oc_mediatype:Series AND -oc_deleted:[* TO *]"`

      Since ROLE_USER is a sub string of ROLE_USER_ADMIN, Solr is returning this entry. A fix would be to store the role always enclose in some sort of symbols (e.g. comma) and require that in the search query.
      Show
      Steps to reproduce: 1. Ingest a video, publish it to engage and set the access policy to private (role ROLE_USER_ADMIN has read access). 2. Create a user with role ROLE_USER (as is the case with LTI user) 3. Login as this user (e.g. in Engage UI) Actual Results: This user can access the ingested video. Expected Results: This user has no access to the video. Workaround (if any): none Problem: The problem lies in the query that is send to Solr:     `"*:* AND oc_organization:mh_default_org AND (oc_acl_read:ROLE_USER_TEST OR oc_acl_read:ROLE_ANONYMOUS OR oc_acl_read:ROLE_USER) AND -oc_mediatype:Series AND -oc_deleted:[* TO *]"` Since ROLE_USER is a sub string of ROLE_USER_ADMIN, Solr is returning this entry. A fix would be to store the role always enclose in some sort of symbols (e.g. comma) and require that in the search query.

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              mtneug Matthias Neugebauer
            • Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases