Project

General

Profile

Bug #14339

PuppetClassImporter doesn't respect access control or taxonomies

Added by Sean O'Keeffe about 4 years ago. Updated about 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Organizations and Locations
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

Description of problem:
Unprivileged user can import classes and environments that are filtered out.

How reproducible:
always

Steps to Reproduce:
1. Create 2 puppet environments (env1, env2)
2. Import 2 puppet classes (ntp, motd) make both in env1 & only ntp in env2.
3. Create a limited access user so they have all access to env2 and motd. No access to env1 or ntp
4. Make changes to puppet class ntp in env2
5. hit Import from xxxx
6. page displayed will show changes about ntp in env2 (which it shouldn't, this user has no access to them)
7. Hit update and changes will by "imported"

Another slightly different example:
1. Create new org which your test user has no access to.
2. Create another environment on disk (env3) assign to this new org
3. Hit import from xxx as admin user (until there are no changes required)
4. login as test user, hit import from xxx
5. page will display new env3 (as your current user cannot view it)
6. hit update and you'll get "Validation failed: Name has already been taken" it tries to create new environment that is already in the DB

Expected results:
"Import from xxx" to respect access controls of environments/puppetclasses taxonomies.

Tested on nightly but I believe it'll work in 1.10, i don't think there has been changes to this recently.


Related issues

Related to Foreman - Bug #11328: "Name has already been taken" error when importing Puppet classesDuplicate2015-08-11
Related to Foreman - Bug #11453: Warning! Validation failed: Name has already been takenDuplicate2015-08-23
Related to Foreman - Bug #12048: Unable to import puppet environment "production" via foreman web interfaceDuplicate2015-10-02
Related to Foreman - Tracker #10022: Taxonomies related issuesNew2015-04-05

Related to Foreman - Bug #10906: Puppet environment import returns 500 because it exists in different organizationNew2015-06-23
Has duplicate Foreman - Bug #14835: Filter "Puppet class" doesn't have Organization and LocationDuplicate2016-04-26

History

#1 Updated by Sean O'Keeffe about 4 years ago

  • Related to Bug #11328: "Name has already been taken" error when importing Puppet classes added

#2 Updated by Sean O'Keeffe about 4 years ago

  • Related to Bug #11453: Warning! Validation failed: Name has already been taken added

#3 Updated by Sean O'Keeffe about 4 years ago

  • Related to Bug #12048: Unable to import puppet environment "production" via foreman web interface added

#4 Updated by Marek Hulán about 4 years ago

#5 Updated by Dominic Cleal about 4 years ago

  • Related to Bug #10906: Puppet environment import returns 500 because it exists in different organization added

#6 Updated by Ivan Necas about 4 years ago

  • Has duplicate Bug #14835: Filter "Puppet class" doesn't have Organization and Location added

#7 Updated by Ivan Necas about 4 years ago

  • Bugzilla link set to 1329992

#8 Updated by Ivan Necas about 4 years ago

  • Category changed from Security to Organizations and Locations

Also available in: Atom PDF