Expand my Community achievements bar.

SOLVED

blocking /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl

Avatar

Level 3

Recently we had our security tests in the platform, where one finding raised critical was the request sent to /content/dam/.permissions.json?privileges= jcr%3AmodifyAccessControl under cross site scripting tampering the request to execute script.

now the question, will there be any impact in author if I block .permissions.json/* requests in dispatcher ? does it affect any functionalities ?

Thank you,

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi Rajesh,

There will be other areas that are not used by Content Authors affected too.

One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.

Regards,

Peter

View solution in original post

7 Replies

Avatar

Community Advisor

Hi Rajesh,

Just to confirm you want to block .permission.json/* endpoint for all your content authors in your AEM author instance?

Regards,

Peter

Avatar

Level 3

Hi Peter,

yes, not specific to user, going to block in dispatcher typically for all the requests.

Avatar

Community Advisor

Hi Rajesh,

Thank you for your reply,

When you will click on "Create Folder" button in Touch UI Assets broweser, you won't see the checkbox option that say "private", it simply won't be there, due to the fact that AEM could not retieve requests value and due to this it won't be shown.

Please note, have used AEM 6.4 SP2 to get this info.

Regards,

Peter

Avatar

Level 3

Hi Peter,

Thanks even I need it for AEM 6.4 SP2

is that the only functionality that affects if I block, rest all will work as expected ? there wont be any issues with user permissions or for authors ?

Thank you,

Avatar

Correct answer by
Community Advisor

Hi Rajesh,

There will be other areas that are not used by Content Authors affected too.

One major area, can immedeately see, would be permission/user/group management tool, useradmin, it would completely stop displaying all permissions for specific user/group.

Regards,

Peter

Avatar

Level 3

Thanks Peter,

it has major effect for admins, I would take it as not to block since it has its dis effects.

I would raise with Adobe to see what they actually can do about it.

Avatar

Level 2

How did you block the /content/dam/.permissions.json?