Bug #16633

Auth source controllers uses wrong permissions

Added by Daniel Lobato Garcia 6 months ago. Updated 6 months ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Authorization
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3872
Story points-
Velocity based estimate-
Release1.13.1Release relationshipAuto

Description

Non-admin users can only be assigned the 'view_authenticators' (or edit, etc...) permission.
However, the API and UI controllers do not take that into account, and use 'view_auth_source_ldaps' (and the rest).

The fix is simple, override `controller_permission` in the controllers to make sure users are checked against the right kind of permission.

Associated revisions

Revision 8cc04d55
Added by Daniel Lobato Garcia 6 months ago

Fixes #16633 - AuthSourceLDAP uses *_authenticators filters

Prior to this, non-admin users who were granted *_authenticators
permissions were not able to use them, as the controllers were looking
for *_auth_source_ldaps permissions instead.

History

#1 Updated by The Foreman Bot 6 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3872 added

#2 Updated by Marek Hulán 6 months ago

  • Release set to 1.14.0

#3 Updated by Dominic Cleal 6 months ago

Would 1.13.1 be better? It looks like a low risk, but useful bug fix, with test coverage etc.

#4 Updated by Anonymous 6 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Marek Hulán 6 months ago

  • Release changed from 1.14.0 to 1.13.1

Sounds good, moving.

Also available in: Atom PDF