CVE-2016-7078 - User with no organizations or locations can see all resources
|Assigned To:||Daniel Lobato Garcia|
|Target version:||Team Daniel - Iteration 9|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/4328, https://github.com/theforeman/foreman/pull/4327, https://github.com/theforeman/foreman/pull/4329, https://github.com/theforeman/foreman/pull/3961, https://github.com/theforeman/foreman/pull/3954, https://github.com/theforeman/foreman/pull/4172|
|Velocity based estimate||-|
The default scope for hosts does not restrict properly by taxonomies. Given this use case:
1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.
This should work so that:
- Users without taxonomies, when set to 'any context' cannot see anything
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.
Pending CVE number.
Fixes #16982 - Scope properly when no taxonomies are set
The default scope for hosts and other objects did not restrict
properly by taxonomies. An user without organizations or
locations, could do anything it's permissions allow to.
The list of hosts was unrestricted and showed hosts in
any location or organization.
This is fixed to work so that:
Users without taxonomies, when set to 'any context' cannot see
anything (at all)
Users with taxonomies, when set to 'any context' can see
everything within all of their taxonomies context (including
Admins set to 'any context' can see everything - regardless
of whether it has a taxonomy or not.
Users or admins set to some organization/location scope
can only see stuff within scope.
refs #16982 - remove User.current deassignment (no such user)
Allows the scope change to be reverted, as User.current is no longer set
to `nil` (there is no 'admin' user).
This was relying on a bug in Ruby on Rails 4.2 where the `unscoped` call
filtered through thread variables into Subnet.subnet_for which calls
Subnet.all. This is fixed in 5.0, so the user must be set correctly.
refs #16982 - check _ids getters as admin user in taxonomy tests
After a request and User.current is back to nil, the ids getters will
not return any results as the default taxonomix scopes don't permit it.
The clone test was instead testing that _no records were associated.