Work Package #49943

Security

Added by Aske Ertmann over 8 years ago. Updated about 8 years ago.

Status:
Accepted
Priority:
Should have
Category:
-
Target version:
Start date:
2013-10-03
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)

Description

Defining the TYPO3 Neos Security Policy

  • Target Audience: everyone using Neos
  • Responsible: Andreas Förthner, Helmut Hummel
  • Implemented by: Andreas Förthner, Helmut Hummel
  • Version: must have for 1.0

Motivation

There are lots of vulnerabilities in the Neos backend currently. In order to provide a secure product and avoid security issues and thereby distrust from users, we need to invest time in securing it.

Goal

In order to deliver a secure release we need to fix known security issues and tests if there are others.

Deliverables

  • Policy for restricting access to controller actions

Not part of this work package:

  • Content security for nodes (see #45010)
  • Since editors have access to the html node type, we will not check any XSS, which can be introduced by editors

Subtasks

Task #52500: Editors must only be able to access their own workspacesResolved2013-10-03

Actions
Task #52504: WorkspaceController: Only publish your own workspaceResolved2013-10-03

Actions
Task #52505: UserSettingsController: check parameters of updateActionResolved2013-10-03

Actions
Task #52506: WorkspacesController: Remove workspace selection featureResolved2013-10-03

Actions
Task #52508: General restrictions for controller accessResolved2013-10-03

Actions
Task #52510: Check general purpose controllersResolvedAndreas Förthner2013-10-03

Actions
#1

Updated by Aske Ertmann about 8 years ago

  • Tracker changed from Task to Work Package
#2

Updated by Andreas Förthner about 8 years ago

  • Status changed from New to Accepted
  • Assignee set to Andreas Förthner
#3

Updated by Andreas Förthner about 8 years ago

  • Subject changed from [WIP][Assignee missing] Security to Security
#4

Updated by Gerrit Code Review about 8 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at https://review.typo3.org/24328

#5

Updated by Andreas Förthner about 8 years ago

  • Status changed from Accepted to Resolved
  • % Done changed from 0 to 100

Applied in changeset commit:928944201b34ecc0fdae48fff85078f3bc2d19d8.

#6

Updated by Andreas Förthner about 8 years ago

  • Status changed from Resolved to Accepted

Also available in: Atom PDF