[GeoNetwork-devel] [GeoNetwork opensource Developer website] #400: Security hole in GeoNetwork -- search for owner

#400: Security hole in GeoNetwork -- search for owner
---------------------+------------------------------------------------------
Reporter: heikki | Owner: geonetwork-devel@…
     Type: defect | Status: new
Priority: blocker | Milestone: v2.6.2
Component: General | Version: v2.6.1
Keywords: |
---------------------+------------------------------------------------------
You can search and discover metadata that are (supposedly) not visible to
you.

To reproduce:

Assuming a clean installation of GeoNetwork (no metadata),

(1) Login as admin, load templates, load sample metadata. There now are 7
sample metadata, visible to all, owned by admin.

(2) remove all privileges from one of those 7 metadata and log out

Search by GUI Search button now correctly displays results for the 6
visible metadata. Now try

http://localhost:8080/geonetwork/srv/fr/main.search?any=&sortBy=relevance&hitsPerPage=10&owner=1

Included in the results are the metadata you should not be allowed to know
about.

--
Ticket URL: <http://trac.osgeo.org/geonetwork/ticket/400&gt;
GeoNetwork opensource Developer website <http://trac.osgeo.org/geonetwork&gt;
GeoNetwork opensource is a standards based, Free and Open Source catalog application to manage spatially referenced resources through the web. It provides powerful metadata editing and search functions as well as an embedded interactive web map viewer. This website contains information related to the development of the software.