Project

General

Profile

Bug #1582

Privacy leak in dashboard, statistics, facts and classes.

Added by Brian Gupta about 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Category:
Authorization
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Note that if using roles and user based domain filters, the dashboard still shows stats for hosts that the user isn't supposed to know about.

The same issue is present for stats, facts and classes.

Associated revisions

Revision caa5fcf0 (diff)
Added by Greg Sutcliffe about 7 years ago

Fix privacy leaks in stats, facts, and dashboard - fixes #1582

History

#1 Updated by Greg Sutcliffe about 7 years ago

  • % Done changed from 0 to 70

Ok, I've had a bash at it, and I think I've fixed all but the Classes. You can find the patch at https://github.com/GregSutcliffe/foreman/tree/1582 and if you have time to test, I'd be grateful.

As for the Classes, I'm thinking that we might be able to build a db query about what classes are available to every host the user can edit. Could be tricky, but I'll see if I can take a look over the weekend.

#2 Updated by Greg Sutcliffe about 7 years ago

Ok, pull request in (https://github.com/theforeman/foreman/pull/53). It seems classes are already filtered by the environment the host is in, so I guess we need to:

a) Provide a way for an Admin to restrict what environments a user can select when editing a host.
b) Ensure that if the user can see the Puppet Classes page, that it only shows classes available to the environments configured in (a)

@bgupta, if you agree, I'll create a feature request for that and we can close this when 53 is merged....

#3 Updated by Greg Sutcliffe about 7 years ago

  • Status changed from New to Closed
  • % Done changed from 70 to 100

Also available in: Atom PDF