Project

General

Profile

Bug #9550

New privilege matching method does not allow menu or tab links to anchors (#foo)

Added by Jim Pingle 5 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
User Manager / Privileges
Target version:
Start date:
05/24/2019
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.4.4-p3
Affected Architecture:
All

Description

The new privilege matching method does not allow menu or tab links to anchors, such as #foo. Since these are not pages, the file path check fails.

Only known affected location currently is the Status_Traffic_Totals package.

Associated revisions

Revision bdbd8534 (diff)
Added by Jim Pingle 5 months ago

Privilege matching -- allow JS anchors. Fixes #9550

Attempts to detect a special case where a file does not actually
exist, and yet should be allowed since it is used by JavaScript.

So long as the anchor name doesn't contain any characters that might let
it evade other checks, allow it through.

Revision f8560a14 (diff)
Added by Jim Pingle 5 months ago

Privilege matching -- allow JS anchors. Fixes #9550

Attempts to detect a special case where a file does not actually
exist, and yet should be allowed since it is used by JavaScript.

So long as the anchor name doesn't contain any characters that might let
it evade other checks, allow it through.

(cherry picked from commit bdbd8534eef5b93370065340de225a1cd5e5faa8)

History

#1 Updated by Jim Pingle 5 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 2 months ago

  • Category changed from Web Interface to User Manager / Privileges

#3 Updated by Jim Pingle about 2 months ago

  • Status changed from Feedback to Resolved

Users with permissions for only traffic totals can see the tabs and change between them.

Also available in: Atom PDF