Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
D
dmx-platform
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 76
    • Issues 76
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • dmx-platform
  • dmx-platform
  • Issues
  • #384

Closed
Open
Opened Jul 06, 2020 by Jörg Richter@jriOwner

Non-readable topic/assoc may become visible through client-sync

The Topicmaps module broadcasts addTopicToTopicmap/addAssocToTopicmap websocket messages to all connected clients. Thus a topic/assoc might become visible on a topicmap even if the user lacks READ permission.

This happens e.g. when private topics/assocs are revealed on a shared topicmap.

Fix: for every websocket connection check if the associated user has READ permission for the topic/assoc. Only send message if so.

This is a follow-up of https://git.dmx.systems/dmx-intern/sprint-planning/-/issues/214#note_15396

Thank you @jpn for reporting!
@mukil FYI

Assignee
Assign to
DMX 5.0
Milestone
DMX 5.0
Assign milestone
Time tracking
None
Due date
None
Reference: dmx-platform/dmx-platform#384