Bug #16982

CVE-2016-7078 - User with no organizations or locations can see all resources

Added by Daniel Lobato Garcia 4 months ago. Updated about 16 hours ago.

Status:Ready For Testing
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Security
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4172, https://github.com/theforeman/foreman/pull/3961, https://github.com/theforeman/foreman/pull/3954
Story points-
Velocity based estimate-

Description

The default scope for hosts does not restrict properly by taxonomies. Given this use case:

1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.

This should work so that:

- Users without taxonomies, when set to 'any context' cannot see anything 
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.

Pending CVE number.


Related issues

Copied to Katello - Bug #17266: Fix tests that depend on CVE 2016-7078 Ready For Testing 10/18/2016

History

#1 Updated by Dominic Cleal 4 months ago

  • Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
  • Status changed from New to Assigned

#2 Updated by Dominic Cleal 4 months ago

  • Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources

Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).

#3 Updated by The Foreman Bot 4 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3954 added

#4 Updated by The Foreman Bot 4 months ago

  • Pull request https://github.com/theforeman/foreman/pull/3961 added

#5 Updated by Daniel Lobato Garcia 4 months ago

  • Target version set to Team Daniel - iteration 3

#6 Updated by Daniel Lobato Garcia 3 months ago

  • Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added

#7 Updated by Daniel Lobato Garcia 3 months ago

  • Target version changed from Team Daniel - iteration 3 to Team Daniel - iteration 6

#8 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman/pull/4172 added

#9 Updated by Daniel Lobato Garcia 27 days ago

  • Target version changed from Team Daniel - iteration 6 to Team Brad - Iteration 11

#10 Updated by Brad Buckingham 1 day ago

  • Target version deleted (Team Brad - Iteration 11)

Also available in: Atom PDF