-
Type:
Bug
-
Status: Closed (View Workflow)
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 7.0
-
Fix Version/s: 7.0
-
Component/s: REST API v7
-
Labels:None
-
Attachments:
-
Comments:2
-
Documentation Status:Needed
When using subresources (e.g. /server/api/core/communities/c0e4de93-f506-4990-a840-d406f6f2ada7/collections or /server/api/core/collections/51715dd3-5590-49f2-b227-6a663c849921/parentCommunity) the permissions of both the main resource and the subresources should be verified. This should happen both when embedding and when performing the call directly.
This is apparently not verified anywhere in REST and should preferably be solved at a higher level (not per subresource) to ensure no use cases are forgotten
- is duplicated by
-
DS-4432 Traversing the REST API could be possible to reach not accessible objects
-
- Closed
-