This repository was archived by the owner on May 29, 2026. It is now read-only.
Commit 89380de
committed
fix(security): PermissionHandler — fail CLOSED on custom-scope dispatch error
`dispatchCustomScopeEvaluation()` caught listener exceptions, logged
them, and returned `null` — letting the caller fall through to the
standard rule chain. For canonical verbs that's safe (chain decides),
but custom verbs (ZGW `besluit_nemen` etc.) explicitly delegate the
verdict to the listener; the chain has no opinion and "deny by
default" was the *intent*. The risk: when a listener has previously
voted ALLOW for a verb but the dispatcher itself throws, the cleared
verdict + chain-fallback can silently open access.
Treat the dispatcher exception as a deny vote (`return false`). A
genuinely down listener is a security event — let it surface as an
explicit denial rather than a no-op. Listener `deny()` votes that
land before the throw still propagate via the existing
`hasVerdict()` path.
Refs: #1419 review (concern 6) — discussion_r31874944791 parent c10828b commit 89380de
1 file changed
Lines changed: 12 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
506 | 506 | | |
507 | 507 | | |
508 | 508 | | |
| 509 | + | |
| 510 | + | |
| 511 | + | |
| 512 | + | |
| 513 | + | |
| 514 | + | |
| 515 | + | |
| 516 | + | |
| 517 | + | |
| 518 | + | |
509 | 519 | | |
510 | | - | |
| 520 | + | |
511 | 521 | | |
512 | 522 | | |
513 | 523 | | |
514 | 524 | | |
515 | 525 | | |
516 | 526 | | |
517 | 527 | | |
518 | | - | |
| 528 | + | |
519 | 529 | | |
520 | 530 | | |
521 | 531 | | |
| |||
0 commit comments