Project

General

Profile

Actions

Bug #16982

closed

CVE-2016-7078 - User with no organizations or locations can see all resources

Added by Daniel Lobato Garcia about 8 years ago. Updated over 6 years ago.


Description

The default scope for hosts does not restrict properly by taxonomies. Given this use case:

1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.

This should work so that:

- Users without taxonomies, when set to 'any context' cannot see anything 
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.

Pending CVE number.


Related issues 7 (0 open7 closed)

Related to Foreman - Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopesClosedDominic Cleal02/24/2017Actions
Related to Discovery - Bug #18686: Fix broken tests after taxonomy scope changeClosedLukas Zapletal02/27/2017Actions
Related to Discovery - Bug #19409: Auto provision does not work after taxonomy fixClosedOhad Levy04/27/2017Actions
Related to Foreman - Bug #20017: Mail notifications not being sentClosedMarek Hulán06/14/2017Actions
Related to Foreman - Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2ClosedMarek Hulán07/17/2017Actions
Related to Foreman - Bug #20515: User searching by login in code does not find the user because of missing unscopedClosedMarek Hulán08/07/2017Actions
Copied to Katello - Bug #17266: Fix tests that depend on CVE 2016-7078ClosedDaniel Lobato Garcia10/18/2016Actions
Actions #1

Updated by Dominic Cleal about 8 years ago

  • Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
  • Status changed from New to Assigned
Actions #2

Updated by Dominic Cleal about 8 years ago

  • Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources

Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).

Actions #3

Updated by The Foreman Bot about 8 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3954 added
Actions #4

Updated by The Foreman Bot about 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/3961 added
Actions #5

Updated by Daniel Lobato Garcia about 8 years ago

  • Target version set to 1.5.2
Actions #6

Updated by Daniel Lobato Garcia about 8 years ago

  • Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added
Actions #7

Updated by Daniel Lobato Garcia about 8 years ago

  • Target version changed from 1.5.2 to 1.4.3
Actions #8

Updated by The Foreman Bot almost 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4172 added
Actions #9

Updated by Daniel Lobato Garcia almost 8 years ago

  • Target version changed from 1.4.3 to 169
Actions #10

Updated by Brad Buckingham almost 8 years ago

  • Target version deleted (169)
Actions #11

Updated by Daniel Lobato Garcia almost 8 years ago

  • Target version set to 1.11.0
Actions #12

Updated by Anonymous almost 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #13

Updated by Dominic Cleal almost 8 years ago

  • Translation missing: en.field_release set to 209
Actions #14

Updated by The Foreman Bot almost 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4327 added
Actions #15

Updated by The Foreman Bot almost 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4328 added
Actions #16

Updated by The Foreman Bot almost 8 years ago

  • Pull request https://github.com/theforeman/foreman/pull/4329 added
Actions #17

Updated by Dominic Cleal almost 8 years ago

  • Related to Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopes added
Actions #18

Updated by Lukas Zapletal almost 8 years ago

  • Related to Bug #18686: Fix broken tests after taxonomy scope change added
Actions #19

Updated by Lukas Zapletal over 7 years ago

  • Related to Bug #19313: Auto-provisioning does not orchestrate TFTP added
Actions #20

Updated by Ohad Levy over 7 years ago

  • Related to Bug #19409: Auto provision does not work after taxonomy fix added
Actions #21

Updated by Lukas Zapletal over 7 years ago

  • Related to deleted (Bug #19313: Auto-provisioning does not orchestrate TFTP)
Actions #22

Updated by Marek Hulán over 7 years ago

  • Related to Bug #20017: Mail notifications not being sent added
Actions #23

Updated by Marek Hulán over 7 years ago

  • Related to Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2 added
Actions #24

Updated by Marek Hulán over 7 years ago

  • Related to Bug #20515: User searching by login in code does not find the user because of missing unscoped added
Actions

Also available in: Atom PDF