| Your Rating: |
|
Results: |
|
141 | rates |
Draft for 5.2
Collection of security related issues and improvements
We have several security related issues or things we should improve:
ACLs dialog
- show all permissions (no drop down) to give an overview
- aggregated permissions per user are already visible as of Magnolia 4.5 see MAGNOLIA-3938@jira for details
Delete permission: MAGNOLIA-2674@jira
- what permission do you need
RegEx support
- even if the back-end uses regular expressions one can only provide partial regular expressions (for instance /$)
Nodetype support
- one of the most annoying thing is that the current ACLs cannot distinguish between paragraphs and sub pages
- one would like to give edit permission to a page but not to the subpages
Custom AccessManager
- see: MAGNOLIA-2587@jira
Clean ACL resolution
- a clean concept is needed how the actual permission is determined
- ACL entries overloading (if multiple ACLs apply, multiple roles)
Easy site support
- give edit permission to a single site
- currently one has to fall back on the ugly /$ hack
URISecurityFilter
- needs to be refactored and broken down in subchain (or set of voters) for operations all handled inside of original filter currently
- http method check
- IP check
- URI ACL check
Overview
Content Tools
Apps
Activity
3 Comments
Magnolia International
In addition to path-based permissions, we also need other types of permissions:
/foo/bar/${userid}Magnolia International
Please look into Apache Shiro (fka jsecurity) to avoid reinventing wheels, and perhaps getting a few goodies for "free" ("remember me" features and other stuff)
Jan Haderka
Feedback from community that is definitively interesting in regard of security and should be taken in consideration although not related to ACLs
http://forum.magnolia-cms.com/forum/thread.html?threadId=878e325c-2ac2-4b8f-8575-640c0c0740f3