Project

General

Profile

Bug #15270

Need to prevent users from viewing items not in their organization

Added by Walden Raines almost 3 years ago. Updated 10 months ago.

Status:
Closed
Priority:
High
Assignee:
Category:
API
Target version:
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Users are able to view some details of items that don't belong to their org if they visit the URL directly. This should not be so.

Steps to Reproduce

  1. Ensure you have items in Org 1
  2. Create an additional org (Org 2) if you don't already have one
  3. Create an additional non-admin user with the "viewer" role and place them in Org 2
  4. With the user created in step 3 go to a url for an item in Org 1
  5. Note that you can usually see the details of the item (product for instance)

Related issues

Related to Foreman - Tracker #10022: Taxonomies related issuesNew2015-04-05

History

#1 Updated by Dominic Cleal almost 3 years ago

  • Category changed from Web Interface to Organizations and Locations
  • Status changed from New to Assigned

Taxonomix models ought to be restricted by their default scope to orgs/locations, preventing them from being viewed if the user's current context doesn't match. Can you supply any more specifics or reproducer in Foreman?

Please note that security issues in Foreman should be reported to foreman-security in the first instance: see http://theforeman.org/security.html, https://groups.google.com/d/msg/foreman-dev/noN-XJ1qXgU/vYFPVYLQDQAJ.

#2 Updated by Marek Hulán almost 3 years ago

#3 Updated by Walden Raines almost 3 years ago

  • Project changed from Foreman to Katello
  • Category changed from Organizations and Locations to Web UI

Sorry, meant to create this in katello!

#4 Updated by Justin Sherrill almost 3 years ago

  • Category changed from Web UI to API
  • Priority changed from Normal to High
  • Legacy Backlogs Release (now unused) set to 144

*

#5 Updated by Eric Helms almost 3 years ago

  • Legacy Backlogs Release (now unused) deleted (144)

#6 Updated by Justin Sherrill almost 3 years ago

  • Legacy Backlogs Release (now unused) set to 143

#7 Updated by Justin Sherrill almost 3 years ago

  • Assignee changed from Walden Raines to Chris Duryee

#8 Updated by Chris Duryee almost 3 years ago

This appears to work for me.

How I tested:

  • create org 1, add a product
  • create org 2
  • create user, add viewer role and add to org 2
  • log out, log in as new user
  • attempt to view /products/1/repositories

result: 403

note: the 403 page is broken and results in a 500, but this is a different issue.

#9 Updated by Chris Duryee almost 3 years ago

  • Status changed from Assigned to Closed

per irc convo w/ walden, closing this ticket and opening a new one for the 403 issue.

Also available in: Atom PDF