blocking /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl | Community
Skip to main content
rajeshs28932860
rajeshs28932860
Level 3
February 28, 2019
Solved

blocking /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl

  • February 28, 2019
  • 7 replies
  • 4384 views

Recently we had our security tests in the platform, where one finding raised critical was the request sent to /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl under cross site scripting tampering the request to execute script.

now the question, will there be any impact in author if I block .permissions.json/* requests in dispatcher ? does it affect any functionalities ?

Thank you,

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Peter_Puzanovs

Hi Rajesh,

There will be other areas that are not used by Content Authors affected too.

One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.

Regards,

Peter

7 replies

Peter_Puzanovs
Community Advisor
Peter_PuzanovsCommunity Advisor
Community Advisor
February 28, 2019

Hi Rajesh,

Just to confirm you want to block .permission.json/* endpoint for all your content authors in your AEM author instance?

Regards,

Peter

rajeshs28932860
rajeshs28932860Author
Level 3
February 28, 2019

Hi Peter,

yes, not specific to user, going to block in dispatcher typically for all the requests.

Peter_Puzanovs
Community Advisor
Peter_PuzanovsCommunity Advisor
Community Advisor
February 28, 2019

Hi Rajesh,

Thank you for your reply,

When you will click on "Create Folder" button in Touch UI Assets broweser, you won't see the checkbox option that say "private", it simply won't be there, due to the fact that AEM could not retieve requests value and due to this it won't be shown.

Please note, have used AEM 6.4 SP2 to get this info.

Regards,

Peter

rajeshs28932860
rajeshs28932860Author
Level 3
February 28, 2019

Hi Peter,

Thanks even I need it for AEM 6.4 SP2

is that the only functionality that affects if I block, rest all will work as expected ? there wont be any issues with user permissions or for authors ?

Thank you,

Peter_Puzanovs
Community Advisor
Peter_PuzanovsCommunity AdvisorAccepted solution
Community Advisor
February 28, 2019

Hi Rajesh,

There will be other areas that are not used by Content Authors affected too.

One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.

Regards,

Peter

rajeshs28932860
rajeshs28932860Author
Level 3
February 28, 2019

Thanks Peter,

it has major effect for admins, I would take it as not to block since it has its dis effects.

I would raise with Adobe to see what they actually can do about it.

S
Ss_dev
Level 2
July 14, 2023

How did you block the /content/dam/.permissions.json? 

 

Terms & ConditionsAccessibility statement

Loading footer...