Privacy leak in dashboard, statistics, facts and classes.
Note that if using roles and user based domain filters, the dashboard still shows stats for hosts that the user isn't supposed to know about.
The same issue is present for stats, facts and classes.
#1 Updated by Greg Sutcliffe almost 11 years ago
- % Done changed from 0 to 70
Ok, I've had a bash at it, and I think I've fixed all but the Classes. You can find the patch at https://github.com/GregSutcliffe/foreman/tree/1582 and if you have time to test, I'd be grateful.
As for the Classes, I'm thinking that we might be able to build a db query about what classes are available to every host the user can edit. Could be tricky, but I'll see if I can take a look over the weekend.
#2 Updated by Greg Sutcliffe almost 11 years ago
Ok, pull request in (https://github.com/theforeman/foreman/pull/53). It seems classes are already filtered by the environment the host is in, so I guess we need to:
a) Provide a way for an Admin to restrict what environments a user can select when editing a host.
b) Ensure that if the user can see the Puppet Classes page, that it only shows classes available to the environments configured in (a)
@bgupta, if you agree, I'll create a feature request for that and we can close this when 53 is merged....
#3 Updated by Greg Sutcliffe almost 11 years ago
- Status changed from New to Closed
- % Done changed from 70 to 100
Applied in changeset caa5fcf0b6aabc8d69ceda82bf60cad060f8221d.
Fix privacy leaks in stats, facts, and dashboard - fixes #1582