Privacy leak in dashboard, statistics, facts and classes.
Note that if using roles and user based domain filters, the dashboard still shows stats for hosts that the user isn't supposed to know about.
The same issue is present for stats, facts and classes.
#1 Updated by Greg Sutcliffe over 7 years ago
- % Done changed from 0 to 70
Ok, I've had a bash at it, and I think I've fixed all but the Classes. You can find the patch at https://github.com/GregSutcliffe/foreman/tree/1582 and if you have time to test, I'd be grateful.
As for the Classes, I'm thinking that we might be able to build a db query about what classes are available to every host the user can edit. Could be tricky, but I'll see if I can take a look over the weekend.
#2 Updated by Greg Sutcliffe over 7 years ago
Ok, pull request in (https://github.com/theforeman/foreman/pull/53). It seems classes are already filtered by the environment the host is in, so I guess we need to:
a) Provide a way for an Admin to restrict what environments a user can select when editing a host.
b) Ensure that if the user can see the Puppet Classes page, that it only shows classes available to the environments configured in (a)
@bgupta, if you agree, I'll create a feature request for that and we can close this when 53 is merged....