# HG changeset patch # User Raimund Renkert # Date 1488287031 -3600 # Node ID a0da035cc8317f882767dc34ac582a73ec4f175c # Parent 1bf808b6740369f7067fcd32bf0065b14489868a Do not allow access to unknow classes. diff -r 1bf808b67403 -r a0da035cc831 src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java --- a/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Tue Feb 28 09:47:54 2017 +0100 +++ b/src/main/java/de/intevation/lada/util/auth/HeaderAuthorization.java Tue Feb 28 14:03:51 2017 +0100 @@ -137,9 +137,8 @@ return data; } Authorizer authorizer = authorizers.get(clazz); - //This is a hack... Allows wildcard for unknown classes. if (authorizer == null) { - return data; + return new Response(false, 699, null); } return authorizer.filter(data, userInfo, clazz); } @@ -244,7 +243,7 @@ Authorizer authorizer = authorizers.get(clazz); //This is a hack... Allows wildcard for unknown classes. if (authorizer == null) { - return true; + return false; } return authorizer.isAuthorized(data, RequestMethod.GET, userInfo, clazz); } @@ -263,9 +262,8 @@ Class clazz ) { Authorizer authorizer = authorizers.get(clazz); - //This is a hack... Allows wildcard for unknown classes. if (authorizer == null) { - return true; + return false; } return authorizer.isAuthorized(data, RequestMethod.POST, userInfo, clazz); }