Token for channel A make accesible not public webpage from channel B
last edited: Tue, 14 Nov 2017 08:59:07 +0100
- I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
- I created Token TCA for channel A zat=tca
- I open webpage WPB with token for channel A
- I see protected content in webpage WPB
@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.
Similar to Login on Hubs:
- one valid Login on hub https://hub.freecommunication.org/ be no permission for login on hub https://macgirvin.com/
- I anticipate, that one valid token for https://hub.freecommunication.org/channel/nmoplus be no permission for https://hub.freecommunication.org/channel/wallzilla
malicious user from channel https://hub.freecommunication.org/channel/A can make one token TCB and get an access to token protected content on channel https://hub.freecommunication.org/channel/B
Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:
Token for channel A give no permission to access to via token accessible content from channel B
#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
Well, if I'm logged in I see the Loremipsum stuff and my name in the text. If I'm logged out I can only see the headline but not the content. If I put the '&zat=topsecret' at the end of the URL I can see the content but instead of my name it shows "Dear Guest/LieberGast".
Looks reasonable to me.
Looks reasonable to me.