DB - ACL by subject allows inspecting other user's ACLs

ORNL / DataFed

A Federated Scientific Data Management System

https://ornl.github.io/DataFed/

Other

18 stars 14 forks source link

DB - ACL by subject allows inspecting other user's ACLs #772

Open dvstans opened 3 years ago

dvstans commented 3 years ago

The acl/by_subject DB method allows any user to view ACL information for any other user. This should be restricted to only the authenticated user or admins.