"Administer Nodes" (authored by) permission not respected by Node.save // Comment.save
ninjay - September 6, 2009 - 08:25
| Project: | Services |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | support request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed |
Jump to:
Description
What is the recommended method for disallowing a user to impersonate another user when saving nodes and comments?
In JavaScript it's relatively easy to hack a node / comment object and post content as any user id. Even without the permission to "administer nodes".
One solution would be to combine two service calls when saving. One that verifies the identity and immediately fires the save thereafter. I'd rather not do this. // Another solution is to clone the node.save service and build in an automatic user id filler. This doesn't seem to maintain the flexibility of the current service.
This issue should be moot. Shouldn't the "administer nodes" permission control this ability?
#1
#2
I don't really get this issue. As far as I know there is no way in javascript to change the authored by information (and make it actually save) without administer nodes perms, and if there is you should contact the security team as it is a serious issue.
As far as I know there is also no way in services to do this, unless your services is set up such a way to allow it. If there is, again, this is a security issue and should be taken care of through that channel.
#3
#4
Automatically closed -- issue fixed for 2 weeks with no activity.