Work Package #49943

Security

Added by Aske Ertmann about 2 years ago. Updated almost 2 years ago.

Status:Accepted Start date:2013-10-03
Priority:Should have Due date:
Assigned To:Andreas Förthner % Done:

100%
Category:- Spent time: -
Target version:1.0 beta 1

Description

Defining the TYPO3 Neos Security Policy

  • Target Audience: everyone using Neos
  • Responsible: Andreas Förthner, Helmut Hummel
  • Implemented by: Andreas Förthner, Helmut Hummel
  • Version: must have for 1.0

Motivation

There are lots of vulnerabilities in the Neos backend currently. In order to provide a secure product and avoid security issues and thereby distrust from users, we need to invest time in securing it.

Goal

In order to deliver a secure release we need to fix known security issues and tests if there are others.

Deliverables

  • Policy for restricting access to controller actions

Not part of this work package:

  • Content security for nodes (see #45010)
  • Since editors have access to the html node type, we will not check any XSS, which can be introduced by editors

Subtasks

Task #52500: Editors must only be able to access their own workspacesResolved

Task #52504: WorkspaceController: Only publish your own workspaceResolved

Task #52505: UserSettingsController: check parameters of updateActionResolved

Task #52506: WorkspacesController: Remove workspace selection featureResolved

Task #52508: General restrictions for controller accessResolved

Task #52510: Check general purpose controllersResolvedAndreas Förthner

Associated revisions

Revision 92894420
Added by Andreas Förthner almost 2 years ago

[TASK] Grant widget controllers to "Everybody"

Change-Id: Ib7b601a51141877be106ad12699c35f79643aa8e
Resolves: #49943
Reviewed-on: https://review.typo3.org/24328
Reviewed-by: Karsten Dambekalns
Tested-by: Karsten Dambekalns
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
Reviewed-by: Andreas Förthner
Tested-by: Andreas Förthner

History

#1 Updated by Aske Ertmann about 2 years ago

  • Tracker changed from Task to Work Package

#2 Updated by Andreas Förthner almost 2 years ago

  • Status changed from New to Accepted
  • Assigned To set to Andreas Förthner

#3 Updated by Andreas Förthner almost 2 years ago

  • Subject changed from [WIP][Assignee missing] Security to Security

#4 Updated by Gerrit Code Review almost 2 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/24328

#5 Updated by Andreas Förthner almost 2 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:928944201b34ecc0fdae48fff85078f3bc2d19d8.

#6 Updated by Andreas Förthner almost 2 years ago

  • Status changed from Resolved to Accepted

Also available in: Atom PDF