Project

General

Profile

Actions
Copy link

Bug #9947

closed

CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership

Added by Andy Taylor over 9 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marek Hulán
Category:
Organizations and Locations
Target version:
1.7.5
Difficulty:
Triaged:
Bugzilla link:
1208071
Pull request:
https://github.com/theforeman/foreman/pull/2273
Fixed in Releases:
Found in Releases:
1.7.2
Red Hat JIRA:

Description

I created a new user with a dedicated role with the following permissions:

Host/managed: view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.

Related issues 4 (0 open4 closed)

Related to Foreman - Refactor #10025: Move taxonomy related methods and scopes to Host::BaseClosedMarek Hulán04/06/2015Actions
Related to Discovery - Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomiesClosedLukas Zapletal04/02/2015Actions
Related to Foreman - Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5Feedback06/24/2015Actions
Blocked by Foreman - Bug #9967: Unit tests do not isolate user setupClosedMarek Hulán03/31/2015Actions
Actions
Copy link
 #1

Updated by Dominic Cleal over 9 years ago

  • Category changed from API to Organizations and Locations
Actions
Copy link
 #2

Updated by Marek Hulán over 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Marek Hulán
Actions
Copy link
 #3

Updated by The Foreman Bot over 9 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2273 added
  • Pull request deleted ()
Actions
Copy link
 #4

Updated by Dominic Cleal over 9 years ago

  • Subject changed from GET /api/hosts doesn't respect organization/location membership to CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
Actions
Copy link
 #6

Updated by Marek Hulán over 9 years ago

  • Bugzilla link set to 1208071
Actions
Copy link
 #7

Updated by Marek Hulán over 9 years ago

  • Blocked by Bug #9967: Unit tests do not isolate user setup added
Actions
Copy link
 #8

Updated by Marek Hulán over 9 years ago

  • Translation missing: en.field_release set to 40
Actions
Copy link
 #9

Updated by Dominic Cleal over 9 years ago

  • Related to Refactor #10025: Move taxonomy related methods and scopes to Host::Base added
Actions
Copy link
 #10

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomies added
Actions
Copy link
 #11

Updated by Marek Hulán over 9 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #12

Updated by Daniel Lobato Garcia over 9 years ago

Warning for the release notes: this PR will make global (unscoped by organization/location) objects invisible to all users except for admins. If you want to make global objects you should assign them to all taxonomies.

Actions
Copy link
 #13

Updated by Dominic Cleal over 9 years ago

  • Related to Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5 added
Actions
Copy link

Also available in: Atom PDF