Details
-
Improvement
-
Resolution: Unresolved
-
Trivial
-
None
-
None
Description
Accessing a url with an invalid CO like
/registry/co_extended_attributes/edit/2/co:145
leaks information since the authn check is performed after the COID is validated. While authz can't take place until coid is validated, at least authn could. Though there may not be an elegant way to do this in Cake
Attachments
Issue Links
- is related to
-
CO-620 Discontinue Use of CO ID in URL
- In Progress