[Grok-dev] Data modelling & security

Matthias nitro at dr-code.org
Sun Jan 16 20:41:49 EST 2011


Am 17.01.2011, 02:34 Uhr, schrieb Matthias <nitro at dr-code.org>:

> Alternative:
>
> Task     User         Assignment       Result
> ------------------------------------------------
>    -        -             -              nothing
>    x        -             -              Task, but not user
>    x        x             -              Task, but not user
>    x        -             x              Task, but dummy user
>    -        x             -              nothing
>    -        x             x              dummy task, user
>    -        -             x              dummy task, dummy user
>    x        x             x              Task and user
>
> Dummy objects are basically just empty "Unknown/Protected" objects.

Oops, there's a security hole in there :) The "dummy task, user" and  
"dummy task, dummy user" lines are wrong. The task should not have been  
retrieved since the "dueDate" attribute should not have been accessible in  
the first place. So both of these lines should be changed to "nothing".

-Matthias


More information about the Grok-dev mailing list