Bug #10689
closed
Unattended controller permission check does not work
Description
Create a non-admin user (e.g. viewer role only), create new host, and as the viewer user log on and try to view a template.
2015-06-03 14:35:41 [I] Started GET "/unattended/iPXE?hostname=bdsktest.local.lan" for 127.0.0.1 at 2015-06-03 14:35:41 +0200
2015-06-03 14:35:41 [I] Processing by UnattendedController#iPXE as HTML
...
app/controllers/application_controller.rb:224:in `block (2 levels) in render_403'
app/controllers/application_controller.rb:223:in `render_403'
app/controllers/application_controller.rb:63:in `deny_access'
app/controllers/application_controller.rb:55:in `authorize'
app/controllers/unattended_controller.rb:20:in `block (2 levels) in <class:UnattendedController>'
app/models/concerns/foreman/thread_session.rb:32:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'
We have two issues basically:
A) Permissions are not checked properly (we obviously use template kinds as actions and we don't have such permissions)
B) Method render_403 does not work from UnattendedController context (layout error).
Updated by Dominic Cleal almost 10 years ago
- Related to Bug #2892: unattended spoof mode only work for an administrator added
Updated by 
Updated by
Updated by The Foreman Bot almost 10 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2428 added
- Pull request deleted (
)
Updated by Dominic Cleal almost 9 years ago
- Related to Bug #15490: CVE-2016-4995 - view_hosts permissions/filters not checked for provisioning template previews added
Updated by Dominic Cleal almost 9 years ago
- Related to Refactor #13039: Remove DB queries from class of UnattendedController added