Bug #1356
Data Leak in Reports and Hosts pages
| Status: | Closed | Start: | 11/24/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: |  Greg Sutcliffe |
% Done: | 100% |
|
| Category: | Authorization | |||
| Target version: | 1.0 | |||
| Backlog: | No | Difficulity: | ||
| Votes: | 0 |
Description
A User with a Filter can see reports for other hosts.
Steps to reproduce:
1) Create a User with a Hostgroup "must be" "groupname" filter
2) Go to the Hosts page - this page is filtered correctly
3) Go to the Reports page - this page is not filtered by Hostgroup
4) Click a report for a host which is not in the User's filter - the User can see this data
5) Click Host details - the User can see this page too
6) Click Edit - the User can even start editing the page
Fortunately Foreman will raise an error if the User tries to save the Host, but I'm pretty sure he shouldn't be able to get this far.
Expected behaviour:
1) Reports should have the same filtering as Hosts
2) Hosts page should not be displayed if you go direct to http://$foreman/hosts/f.q.d.n (or any subpage like /edit)
Associated revisions
Revision 90ddcbb1155e231038601a77f73d342944bd00dd
Don't show reports from hosts not in a User's filter refs #1356
Revision 9bbcf6a419d8d51d58a52254c4162b32466f1398
fixes #1356 - Stop hosts from being visible if your filter doesn't permit it
History
Updated by Ohad Levy over 1 year ago
- Category set to Authorization
- Assigned to set to Greg Sutcliffe
- Target version set to 1.0
Updated by Ohad Levy over 1 year ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied in changeset 9bbcf6a419d8d51d58a52254c4162b32466f1398.
