Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

optional route param for content-item display #16355

Closed

Conversation

giannik
Copy link
Contributor

@giannik giannik commented Jun 20, 2024

allows optional route displaytype option for content item display

@@ -37,7 +37,7 @@ public async Task<IActionResult> Display(string contentItemId, string jsonPath)
return this.ChallengeOrForbid();
}

var model = await _contentItemDisplayManager.BuildDisplayAsync(contentItem, this);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we want to allow this. It can be a security issue that a user can specify arbitrary display types, even like SummaryAdmin, and thus look at the display of an item that normally they should never see.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

while i understand your point, I think of the display type as a visual layout of the content item so any sensitive information should not be related to the displaytype. we already use permissions for this. I mean you could easilly leak sensitive info in the detail display type too.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current assumption is though that the display type is something that's explicitly always set either by the developer or the administrator, and the developer can assume the context of each of them. This would break these assumptions.

If you search for "SummaryAdmin" in the codebase, you'll see that there are plenty of examples where the generates shapes display something meant for the admin without further authorization (e.g. the ArchiveLater, Localization, Lists modules). Regardless of these, or the other examples in OC being security issues or not, these changes would open up potentially unintended disclose of information displayed in such shapes.

We could audit Orchard Core to add authorizations everywhere, but then third-party code will still be open for abuse. And this is only "SummaryAdmin", but now you could generate displays any other, custom display type as well, with consequences that we can't determine.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants