Token for channel A make accesible not public webpage from channel B

neue medienordnung plus
  last edited: Tue, 14 Nov 2017 08:59:07 +0100  
  • I created webpage WPB http://dummy.org/page/wpb on channel B with [observer=1/0] protected content
  • I created Token TCA for channel A zat=tca
  • I open webpage WPB with token for channel A
  • I see protected content in webpage WPB
Hubzilla version 2.8.1

@Mike M. closed the issue https://github.com/redmatrix/hubzilla/issues/909 , but I mean, that is one bug, that Hubzilla display protected content in webpage WPB for visitor with Token TCA, that is legal for channel A. Because I created one token for access to channel A, not to channel B.

Similar to Login on Hubs:
  • one valid Login on hub https://hub.freecommunication.org/ be no permission for login on hub https://macgirvin.com/
  • I anticipate, that one valid token for https://hub.freecommunication.org/channel/nmoplus be no permission for https://hub.freecommunication.org/channel/wallzilla
I mean, The actuelle behavior of token solution is a danger for channel security:
malicious user from channel https://hub.freecommunication.org/channel/A can make one token TCB and get an access to token protected content on channel https://hub.freecommunication.org/channel/B

Token managament is located by channel owner A. This fact suggested, that the token from channel A is valide for channel A. I mean, that one average user assume, that the tokenized access to content protected their content. What mean you? Please vote pro or contra of this statement:

Token for channel A give no permission to access to via token accessible content from channel B

#tokenmanagement #token @Hubzilla Support Forum+ @Hubzilla Development+
Steffen K9 🐙
  
Well, if I'm logged in I see the Loremipsum stuff and my name in the text. If I'm logged out I can only see the headline but not the content. If I put the '&zat=topsecret' at the end of the URL I can see the content but instead of my name it shows "Dear Guest/LieberGast".
Looks reasonable to me.
neue medienordnung plus
  
OK, is my fallacy. And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?
Mike Macgirvin
  
And for advanced serverside access control at the paragraph level need hubzilla developer such tools how AJAX with ACL Support - right?


It needs a whole lot more than that. You're welcome to give it a go.