Bug #9947

CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership

Added by Andy Taylor about 2 years ago. Updated almost 2 years ago.

Status:Closed
Priority:Normal
Assigned To:Marek Hulán
Category:Organizations and Locations
Target version:-
Difficulty: Bugzilla link:1208071
Found in release:1.7.2 Pull request:https://github.com/theforeman/foreman/pull/2273
Story points-
Velocity based estimate-
Release1.7.5Release relationshipAuto

Description

I created a new user with a dedicated role with the following permissions:

Host/managed: view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.


Related issues

Related to Foreman - Refactor #10025: Move taxonomy related methods and scopes to Host::Base Closed 04/06/2015
Related to Discovery - Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to use... Closed 04/02/2015
Related to Foreman - Bug #10918: Provisioning templates no longer resolve/available for no... New 06/24/2015
Blocked by Foreman - Bug #9967: Unit tests do not isolate user setup Closed 03/31/2015

Associated revisions

Revision abe910f2
Added by Marek Hulán about 2 years ago

Fixes #9947 - restrict user taxonomies if none is set

History

#1 Updated by Dominic Cleal about 2 years ago

  • Category changed from API to Organizations and Locations

#2 Updated by Marek Hulán about 2 years ago

  • Status changed from New to Assigned
  • Assigned To set to Marek Hulán

#3 Updated by The Foreman Bot about 2 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2273 added

#4 Updated by Dominic Cleal about 2 years ago

  • Subject changed from GET /api/hosts doesn't respect organization/location membership to CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership

#6 Updated by Marek Hulán about 2 years ago

  • Bugzilla link set to 1208071

#7 Updated by Marek Hulán about 2 years ago

  • Blocked by Bug #9967: Unit tests do not isolate user setup added

#8 Updated by Marek Hulán about 2 years ago

  • Release set to 1.7.5

#9 Updated by Dominic Cleal about 2 years ago

  • Related to Refactor #10025: Move taxonomy related methods and scopes to Host::Base added

#10 Updated by Dominic Cleal about 2 years ago

  • Related to Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomies added

#11 Updated by Marek Hulán about 2 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#12 Updated by Daniel Lobato Garcia about 2 years ago

Warning for the release notes: this PR will make global (unscoped by organization/location) objects invisible to all users except for admins. If you want to make global objects you should assign them to all taxonomies.

#13 Updated by Dominic Cleal almost 2 years ago

  • Related to Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5 added

Also available in: Atom PDF