Bogus ACL permissions in v0.7.0
Hi,
As stated before, I upgraded my burp-ui setup to current v0.7.0-dev.
Now I might not understand how new ACLs work, but here I go:
I have setup ACLs like this:
## acl engine global options
[ACL]
extended = true
## If you don't explicitly specify ro/rw grants, what should we assume?
assume_rw = false
legacy = false
#inverse_inheritance = false
#implicit_link = true
I have a moderator account with following ACLs:
someuser = '{"agents":{"Agent1":{"rw":["client.*","server.*"]},"Agent2":{"rw":["client.*","server.*"]}}}'
+moderator = "", someuser
As of my understandings, user "someuser" should be able to modify configurations of every client.* and server.* conf file. But in fact, what happens, is that that user is not permitted to modify any client that matches the client.* or server.*, unless I change assume_rw to true.
As my user has specific "rw" grants, I should not have to set assume_rw = true I guess, don't I ?
Thanks.