Bug #15270
closed
Need to prevent users from viewing items not in their organization
Added by Walden Raines over 8 years ago.
Updated over 6 years ago.
Description
Users are able to view some details of items that don't belong to their org if they visit the URL directly. This should not be so.
Steps to Reproduce¶
- Ensure you have items in Org 1
- Create an additional org (Org 2) if you don't already have one
- Create an additional non-admin user with the "viewer" role and place them in Org 2
- With the user created in step 3 go to a url for an item in Org 1
- Note that you can usually see the details of the item (product for instance)
Related issues
1 (1 open — 0 closed)
- Category changed from Web Interface to Organizations and Locations
- Status changed from New to Assigned
- Project changed from Foreman to Katello
- Category changed from Organizations and Locations to Web UI
Sorry, meant to create this in katello!
- Category changed from Web UI to API
- Priority changed from Normal to High
- Translation missing: en.field_release set to 144
- Translation missing: en.field_release deleted (
144)
- Translation missing: en.field_release set to 143
- Assignee changed from Walden Raines to Chris Duryee
This appears to work for me.
How I tested:
- create org 1, add a product
- create org 2
- create user, add viewer role and add to org 2
- log out, log in as new user
- attempt to view /products/1/repositories
result: 403
note: the 403 page is broken and results in a 500, but this is a different issue.
- Status changed from Assigned to Closed
per irc convo w/ walden, closing this ticket and opening a new one for the 403 issue.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by