12.13.0 (backend only)

Breaking change: version 12.13.0 introduces the implementation of additional access control checks. Upgrading to this version without configuring extra permissions might cause errors and loss of functionality.

This version resolves the vulnerability (CVE 8,6) explained here.

At the moment of writing, only the 12.13.0 backend has been released. This page will be updated when the frontend release has been published as well.

New features - GZAC edition

Access control for Objects

Access Control checks have been implemented for interaction with the Objecten API. Because the Objects and Objecttypes are not part of the GZAC database, the permissions are limited to include only an action. The following actions are available:

view
view_list
create
modify
delete

An example of Object permissions look as follows:

"permissions": [
        {
            "resourceType": "com.ritense.objectenapi.security.Object",
            "action": "create"
        },
        {
            "resourceType": "com.ritense.objectenapi.security.Object",
            "action": "modify"
        },
        {
            "resourceType": "com.ritense.objectenapi.security.Object",
            "action": "view"
        },
        {
            "resourceType": "com.ritense.objectenapi.security.Object",
            "action": "view_list"
        },
        {
            "resourceType": "com.ritense.objectenapi.security.Object",
            "action": "delete"
        }
    ]

To reduce the impact of this breaking change, an application property has been added to disable the access control checks for Objects. The following properties can be set to false :

valtimo.authorization.objectenapi.enabled (application property), or
VALTIMO_AUTHORIZATION_OBJECTENAPI_ENABLED (environment variable)

Disabling the access control checks for Objects can be a severe security risk and is highly discouraged.

Previous12.14.1 Next12.12.0

Last updated 8 days ago