openwisp / OpenWISP-Geographic-Monitoring

A Rails application for managing a wISP's access points
15 stars 19 forks source link

Security: non restricted controllers #17

Closed nemesifier closed 11 years ago

nemesifier commented 12 years ago

Users with very low permission levels can access certain resources.

How to reproduce this issue:

  1. create a user with only "wisp_access_points_viewer"
  2. login with that user
  3. you won't be able to see the link to "configurations/owmw/edit"
  4. but if you try to access "configurations/owmw/edit" you'll be able to access it and modify the parameters

The same applies to the user CRUD interface i'm developing now, that's how I discovered the issue. Any suggestions before I proceed to try some technical solution?

dguerri commented 12 years ago

This is caused by the lack of authorization rules in the configurations_controller. Actually that controller only performs authentication (via the :authenticate_user filter). Please refer to this for an example about acl9 authorization.

nemesifier commented 12 years ago

Here's the fix: https://github.com/nemesisdesign/OpenWISP-Geographic-Monitoring/commit/f348dc98c0536e1859f4b5d44a9ce5d119ddd8a0

We can either use cherry-pick or wait until the next pull request i'll send.

dguerri commented 12 years ago

There is no need to hurry here. Take your time.

nemesifier commented 11 years ago

Fixed