View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0006633 | libeufin | libeufin-nexus | public | 2020-10-29 22:10 | 2023-02-02 00:25 |
Reporter | MS | Assigned To | MS | ||
Priority | urgent | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | fixed | ||
Target Version | 0.9.1 | ||||
Summary | 0006633: Not all the requests get authenticated! | ||||
Description | Make sure that all the requests check the Authorization-header. | ||||
Tags | No tags attached. | ||||
|
It seems that some Taler facade API calls do not check any authorization. Beside that, all the "direct" EBICS operations (like /send-ini, for example) do not check the authorization neither. |
|
Errata: Taler does check for authorization, just "later" in the flow, in the context of checking the permissions over the resources being offered. The only exception is /admin/add/incoming offered by Nexus. There no authentication gets checked, because nothing is to protect: see 0007588 |
|
Adding here the missing authentication checks: b714f8cd..fe4eaf34 The access control for the Nexus native API should be made however finer grained, as every call expects superuser privileges; tests and deployment fulfill that. |
Date Modified | Username | Field | Change |
---|---|---|---|
2020-10-29 22:10 | MS | New Issue | |
2020-11-10 11:47 | MS | Target Version | => 0.9.2 |
2021-01-14 00:27 | Florian Dold | Assigned To | => Florian Dold |
2021-01-14 00:27 | Florian Dold | Status | new => assigned |
2021-01-14 00:27 | Florian Dold | Priority | normal => urgent |
2021-05-27 10:35 | MS | Note Added: 0017911 | |
2021-05-27 10:36 | MS | Note Edited: 0017911 | |
2021-05-27 10:47 | MS | Note Added: 0017912 | |
2023-01-08 11:22 | Christian Grothoff | Target Version | 0.9.2 => 0.9.1 |
2023-01-10 18:54 | Florian Dold | Assigned To | Florian Dold => MS |
2023-01-15 17:48 | MS | Note Edited: 0017912 | |
2023-01-15 18:47 | MS | Note Added: 0019669 | |
2023-01-15 18:47 | MS | Status | assigned => resolved |
2023-01-15 18:47 | MS | Resolution | open => fixed |
2023-02-02 00:25 | Christian Grothoff | Status | resolved => closed |
2023-04-13 20:38 | Florian Dold | Category | nexus => libeufin-nexus |