I have following issue for Web Application.
System has 2 users - user1 and user2.
System has objects of type Job, and each user can see only jobs his jobs. For example user1 operates only with job1 and job2, user2 operates with job3 and job4.
For this purpose the new Controller was done to filter jobs like this
((ListView)View).CollectionSource.Criteria["Filter1"] = new BinaryOperator…
Following behavior is wrong:
- I am logging in with user1 and see only job1 and job2.
- I am opening job1 -> job1 showed me in a DetailView
- I do logout
- I do login with user2
- after log in i see in a DetailView the last page before logout - job1. Its wrong, because job1 is assigned to user1.
Hello Aleksey,
In your scenario, an end-user sees some information being logged in as one application user ('user1'), and sees the same information being logged out and logged in again as another application user ('user2'), without restarting the browser, and within some short period of time, which is a session timeout (usually it is 20 minutes).
Are you sure that this issue is a security hole, which must be fixed as soon as possible?
I am asking this because in your scenario one and the same end-user (a real man) sees the same information in both cases. Since he was able to read it being logged in as 'user1', I believe it doesn't matter that he will see the same information when he logs on as 'user2'.
Moreover, this situation could happen when information is not protected for 'user2': if it is protected by the XAF Security, then 'user'2' will see the 'Protected Content' message. This means, that in your scenario, 'user2' is granted to read information by security settings.
I agree that this should be considered as a security hole when two different end-users are involved: the second user can see what the first user has been reading before logging out. However, it seems to be very unlikely that both of them are working on one and the same computer, under one and the same Windows system account, within one and the same browser working instance (i.e. without browser restarting), and within a short time period.
Please confirm that this issue fix is urgent for you and we will fix it shortly.
Otherwise, we will pay attention to more important issues and return to this issue later, in a month or so.
Thanks,
Dan
Hello!
Thanks for reply. Actually, I'm a little bit confused, because security issues to be completed with a highest priority. I could imagine a hundert examples, where this secutiry problem could happen, for Example, did you ever see how cashier in a Supermarkt works? After 3-4 hours comes another one, first makes logout, another - login and everything at the same Workstation…
For me actually this is security issue, to be solved, no metter my application needs it or not. But I can wait of course, as I still waiting for a version 8.2, where some more critical for me bugs schould be fixed, for example http://www.devexpress.com/issue=B94036 (Localization Logon bug in Win Application) ;)