CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
|Assigned To:||Marek Hulán|
|Category:||Organizations and Locations|
|Found in release:||1.7.2||Pull request:||https://github.com/theforeman/foreman/pull/2273|
|Velocity based estimate||-|
I created a new user with a dedicated role with the following permissions:
The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.