View Issue Details

IDProjectCategoryView StatusLast Update
0006633libeufinnexuspublic2023-02-02 00:25
ReporterMS Assigned ToMS  
PriorityurgentSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Target Version0.9.1 
Summary0006633: Not all the requests get authenticated!
DescriptionMake sure that all the requests check the Authorization-header.
TagsNo tags attached.

Activities

MS

2021-05-27 10:35

manager   ~0017911

Last edited: 2021-05-27 10:36

It seems that some Taler facade API calls do not check any authorization.

Beside that, all the "direct" EBICS operations (like /send-ini, for example) do not check the authorization neither.

MS

2021-05-27 10:47

manager   ~0017912

Last edited: 2023-01-15 17:48

Errata: Taler does check for authorization, just "later" in the flow, in the context of checking the permissions over the resources being offered. The only exception is /admin/add/incoming offered by Nexus. There no authentication gets checked, because nothing is to protect: see 0007588

MS

2023-01-15 18:47

manager   ~0019669

Adding here the missing authentication checks: b714f8cd..fe4eaf34

The access control for the Nexus native API should be made however finer grained, as
every call expects superuser privileges; tests and deployment fulfill that.

Issue History

Date Modified Username Field Change
2020-10-29 22:10 MS New Issue
2020-11-10 11:47 MS Target Version => 0.9.2
2021-01-14 00:27 Florian Dold Assigned To => Florian Dold
2021-01-14 00:27 Florian Dold Status new => assigned
2021-01-14 00:27 Florian Dold Priority normal => urgent
2021-05-27 10:35 MS Note Added: 0017911
2021-05-27 10:36 MS Note Edited: 0017911
2021-05-27 10:47 MS Note Added: 0017912
2023-01-08 11:22 Christian Grothoff Target Version 0.9.2 => 0.9.1
2023-01-10 18:54 Florian Dold Assigned To Florian Dold => MS
2023-01-15 17:48 MS Note Edited: 0017912
2023-01-15 18:47 MS Note Added: 0019669
2023-01-15 18:47 MS Status assigned => resolved
2023-01-15 18:47 MS Resolution open => fixed
2023-02-02 00:25 Christian Grothoff Status resolved => closed