eZ Community » Forums » Extensions » ezjscore call access
expandshrink

ezjscore call access

ezjscore call access

Thursday 14 June 2012 6:04:54 pm - 4 replies

Hello everybody.

I have a little question about ezjscore. If you check the site.ini of ezsjcore you can see that the anonymous user have access to call and hello views :

[RoleSettings]
PolicyOmitList[]=ezjscore/hello
PolicyOmitList[]=ezjscore/call

If a anonymous user enter the following url :  http://my-domain.com/ezjscore/call/ezjscnode::subtree::5

He can list the user account. I can comment the PolicyOmitList but if I upgrade ezpublish the changes will be removed.

However If I create a new server functions the anonymous user can't access to it unless I configure the rights.

Is there a way to block the access of ezjscnode to the anonymous users ?

Thanks

Romain

Friday 15 June 2012 7:46:52 am

Hi Romain,

You can Reset The [RoleSettings] in the override/site.ini.append.php. But then you have to add all PolicyOmitList entries which are set in custom extension you need.

 [RoleSettings]
PolicyOmitList[]
PolicyOmitList[]=user/login
PolicyOmitList[]=user/logout
PolicyOmitList[]=user/register
PolicyOmitList[]=user/activate
PolicyOmitList[]=user/success
PolicyOmitList[]=user/forgotpassword
PolicyOmitList[]=layout
 #PolicyOmitList[]=manual
 #PolicyOmitList[]=ezinfo/copyright
 #PolicyOmitList[]=ezinfo/about
 #PolicyOmitList[]=paypal/notify_url
 #PolicyOmitList[]=ezjscore/hello
 #PolicyOmitList[]=ezjscore/call

So you have under control what a anonymous user should be has access to by default.

For user who have access to ezjscore/call you have to create a policy in the ezbackend.

Hope this will help.

Cheers Felix

Modified on Friday 15 June 2012 7:48:33 am by Felix Woldt

Friday 15 June 2012 10:21:57 am

Hi Felix,

Thanks for your help. I don't understand why ezjscore have this role settings by default. I think that a lot of ezpublish site have not reset the role settings. 

Romain 

Friday 15 June 2012 11:58:20 am

Hi Romain,

yes you are right ... it is not easy to understand why.

It could be an performance issue. Module which are permitted over the ini do not need a policy check on the db.

Cheers Felix

Saturday 16 June 2012 11:01:20 am

I think this has also been fixed in recent security-related commits - now the ezjscnode::subtree call will check permissions of current user, much in the same way as node/view/full does

expandshrink

You must be logged in to post messages in this topic!

36 542 Users on board!

Forums menu

Proudly Developed with from