[CKAN-support] Possible security weakness?
Aaron McGlinchy
McGlinchyA at landcareresearch.co.nz
Wed Aug 27 01:21:29 UTC 2014
Hi, in my test installation I’ve been playing around with Groups, and users with different access levels, so that I can get clear for myself what rights different users have (I’m compiling a user guide for our staff).
We are running a basic install of CKAN 2.2, and have the home page setup to display ‘Search, stats, introductory area, feature organization and featured group’ in the config settings.
In my experimenting I have just found an odd occurrence re groups:
I have a dataset ‘Test by Aaron as Jerry’ which is in the Organisation ‘NVS’, and set as private. If I click on Datasets to see a list of all datasets, then I see a list of only public datasets (even if I am logged in as SysAdmin).
However on the home page that private dataset which has been added to a group is being exposed (screen shot below) – both to me as Sysadmin, and also to a regular user who is not a member of the NVS organisation that Dataset belongs too (so they should definitely not be seeing it, nor should any user displayed on the home page under a featured group (or organisation)).
If the testmember user clicks onto the Fungi and Bacteria Group, then only the public datasets displayed, so there is something in the featured group that is exposing private information.
If testmember attempts to open the private dataset then they are advised they are already logged in as testmember, asked if they want to logout and shown the login screen – so it doesn’t actually let them access the private dataset, but it is exposing some private details.
Since this is security related I thought it best to email you directly rather than post to the pubic listserver.
Regards
Aaron McGlinchy
[cid:image001.png at 01CFC1F9.CFAEA360]
________________________________
Please consider the environment before printing this email
Warning: This electronic message together with any attachments is confidential. If you receive it in error: (i) you must not read, use, disclose, copy or retain it; (ii) please contact the sender immediately by reply email and then delete the emails.
The views expressed in this email may not be those of Landcare Research New Zealand Limited. http://www.landcareresearch.co.nz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20140827/5ba76a26/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 536878 bytes
Desc: image001.png
URL: <https://lists.okfn.org/mailman/private/ckan-support/attachments/20140827/5ba76a26/attachment-0002.png>
More information about the ckan-support
mailing list