Bug #15270
closed
Need to prevent users from viewing items not in their organization
Description
Users are able to view some details of items that don't belong to their org if they visit the URL directly. This should not be so.
Steps to Reproduce¶
- Ensure you have items in Org 1
- Create an additional org (Org 2) if you don't already have one
- Create an additional non-admin user with the "viewer" role and place them in Org 2
- With the user created in step 3 go to a url for an item in Org 1
- Note that you can usually see the details of the item (product for instance)
Updated by Dominic Cleal over 8 years ago
- Category changed from Web Interface to Organizations and Locations
- Status changed from New to Assigned
Taxonomix models ought to be restricted by their default scope to orgs/locations, preventing them from being viewed if the user's current context doesn't match. Can you supply any more specifics or reproducer in Foreman?
Please note that security issues in Foreman should be reported to foreman-security in the first instance: see http://theforeman.org/security.html, https://groups.google.com/d/msg/foreman-dev/noN-XJ1qXgU/vYFPVYLQDQAJ.
Updated by Marek Hulán over 8 years ago
- Related to Tracker #10022: Taxonomies related issues added
Updated by Walden Raines over 8 years ago
- Project changed from Foreman to Katello
- Category changed from Organizations and Locations to Web UI
Sorry, meant to create this in katello!
Updated by Justin Sherrill over 8 years ago
- Category changed from Web UI to API
- Priority changed from Normal to High
- Translation missing: en.field_release set to 144
*
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release deleted (
144)
Updated by Justin Sherrill over 8 years ago
- Translation missing: en.field_release set to 143
Updated by Justin Sherrill over 8 years ago
- Assignee changed from Walden Raines to Chris Duryee
Updated by Chris Duryee over 8 years ago
This appears to work for me.
How I tested:
- create org 1, add a product
- create org 2
- create user, add viewer role and add to org 2
- log out, log in as new user
- attempt to view /products/1/repositories
result: 403
note: the 403 page is broken and results in a 500, but this is a different issue.
Updated by Chris Duryee over 8 years ago
- Status changed from Assigned to Closed
per irc convo w/ walden, closing this ticket and opening a new one for the 403 issue.