Skip to content
This repository has been archived by the owner on Sep 22, 2019. It is now read-only.

Commit

Permalink
Don't accept all SP requests when allow_unsigned_verification_request…
Browse files Browse the repository at this point in the history
…s is true

We should still check whether the SP is allowed to verify the attributes
it asks for, even though the SP's identity is not established.
  • Loading branch information
sietseringers committed Oct 31, 2016
1 parent 2adea73 commit fff8bf5
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 8 deletions.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apply plugin: 'war'
apply plugin: 'org.akhikhl.gretty'
apply plugin: 'eclipse-wtp'

version = "1.1.0"
version = "1.1.1"

import org.gradle.internal.os.OperatingSystem;

Expand Down
8 changes: 1 addition & 7 deletions src/main/java/org/irmacard/api/web/ApiConfiguration.java
Original file line number Diff line number Diff line change
Expand Up @@ -93,13 +93,7 @@ public boolean isIssuingEnabled() {
}

public boolean canVerifyAttribute(String sp, AttributeIdentifier attribute) {
/* If allow_unsigned_verification_requests is true, then the service provider's
* name might be unknown (see VerificationResource#newSession()), so it makes
* no sense to insist here that it is present in the list of authorized verifiers. */
if (allow_unsigned_verification_requests)
return true;

if (!authorized_sps.containsKey(sp))
if (!allow_unsigned_verification_requests && !authorized_sps.containsKey(sp))
return false;

ArrayList<String> attributes = authorized_sps.get(sp);
Expand Down

0 comments on commit fff8bf5

Please sign in to comment.