Opened 10 years ago

Closed 10 years ago

#703 closed defect (fixed)

Feature Source cache appears to bypass resource security when viewing a map

Reported by: troylouden Owned by: trevorwekel
Priority: medium Milestone: 2.1
Component: Feature Service Version: 2.0.1
Severity: major Keywords:
Cc: External ID: 1121278

Description

  • Create a user in Site Admin that is an author
  • In Studio Create a folder and create a feature source, a layer, a map and a web layout using Sample World Countries sdf.
  • Right click on the feature source in the site explorer and remove the inherited permissions for Everyone and add read/write permissions for the new user
  • Open the AJAX layout in the browser using Anonymous (no password) and the layer should fail to load in the map. An error indicating permission denied on the resource is generated in the server error log
  • Close the browser and launch the layout again only log in with the new user and the layer should preview
  • Close the browser again and launch the layout again but log in as Anonymous again and the layer will preview. It appears that the cached connection to the feature source somehow bypasses security.

The same logic applies to using a group instead of a user.

Attachments (1)

1121278.patch (10.6 KB) - added by troylouden 10 years ago.

Download all attachments as: .zip

Change History (3)

Changed 10 years ago by troylouden

Attachment: 1121278.patch added

comment:1 Changed 10 years ago by trevorwekel

Owner: changed from troylouden to trevorwekel
Status: newassigned

Fix submitted to 2.0.x branch in http://trac.osgeo.org/mapguide/changeset/3331

comment:2 Changed 10 years ago by trevorwekel

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.