Need to prevent users from viewing items not in their organization
Users are able to view some details of items that don't belong to their org if they visit the URL directly. This should not be so.
Steps to Reproduce¶
- Ensure you have items in Org 1
- Create an additional org (Org 2) if you don't already have one
- Create an additional non-admin user with the "viewer" role and place them in Org 2
- With the user created in step 3 go to a url for an item in Org 1
- Note that you can usually see the details of the item (product for instance)
#1 Updated by Dominic Cleal about 3 years ago
- Category changed from Web Interface to Organizations and Locations
- Status changed from New to Assigned
Taxonomix models ought to be restricted by their default scope to orgs/locations, preventing them from being viewed if the user's current context doesn't match. Can you supply any more specifics or reproducer in Foreman?
Please note that security issues in Foreman should be reported to foreman-security in the first instance: see http://theforeman.org/security.html, https://groups.google.com/d/msg/foreman-dev/noN-XJ1qXgU/vYFPVYLQDQAJ.
#8 Updated by Chris Duryee almost 3 years ago
This appears to work for me.
How I tested:
- create org 1, add a product
- create org 2
- create user, add viewer role and add to org 2
- log out, log in as new user
- attempt to view /products/1/repositories
note: the 403 page is broken and results in a 500, but this is a different issue.