Project

General

Profile

Actions

Bug #1356

closed

Data Leak in Reports and Hosts pages

Added by Greg Sutcliffe over 12 years ago. Updated over 12 years ago.

Status:
Closed
Priority:
Normal
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

A User with a Filter can see reports for other hosts.

Steps to reproduce:
1) Create a User with a Hostgroup "must be" "groupname" filter
2) Go to the Hosts page - this page is filtered correctly
3) Go to the Reports page - this page is not filtered by Hostgroup
4) Click a report for a host which is not in the User's filter - the User can see this data
5) Click Host details - the User can see this page too
6) Click Edit - the User can even start editing the page

Fortunately Foreman will raise an error if the User tries to save the Host, but I'm pretty sure he shouldn't be able to get this far.

Expected behaviour:

1) Reports should have the same filtering as Hosts
2) Hosts page should not be displayed if you go direct to http://$foreman/hosts/f.q.d.n (or any subpage like /edit)

Actions #1

Updated by Ohad Levy over 12 years ago

  • Category set to Users, Roles and Permissions
  • Assignee set to Greg Sutcliffe
  • Target version set to 1.0
Actions #2

Updated by Ohad Levy over 12 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF