CVE-2016-7078 - User with no organizations or locations can see all resources
|Status:||Ready For Testing|
|Assigned To:||Daniel Lobato Garcia|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/4172, https://github.com/theforeman/foreman/pull/3961, https://github.com/theforeman/foreman/pull/3954|
|Velocity based estimate||-|
The default scope for hosts does not restrict properly by taxonomies. Given this use case:
1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.
This should work so that:
- Users without taxonomies, when set to 'any context' cannot see anything
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.
Pending CVE number.