peterkeating
commented
1 year ago This is now available in 1.3.1 - https://www.nuget.org/packages/Etch.OrchardCore.ContentPermissions/1.3.1
Closed jsobell closed 1 year ago
peterkeating
commented
1 year ago This is now available in 1.3.1 - https://www.nuget.org/packages/Etch.OrchardCore.ContentPermissions/1.3.1
At the moment, if you fail to configure a Redirect URL it ignores all of the permission checks with the assumption that every view has had access checking code applied. From a security aspect this is the worst possible scenario, as we are saying that by default we allow access if the user fails to specify a redirect, whereas it makes more sense to say that there is either an overarching default destination (even if it's the site root) or actually throw the default 403 so the developer knows they've left a gaping hole in their security, and the system can use the Orchard.Diagnostics module to handle the error? Am I missing something in the way this is supposed to be handled?