Bug #16982
closed
CVE-2016-7078 - User with no organizations or locations can see all resources
Added by Daniel Lobato Garcia about 8 years ago.
Updated over 6 years ago.
Description
The default scope for hosts does not restrict properly by taxonomies. Given this use case:
1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.
This should work so that:
- Users without taxonomies, when set to 'any context' cannot see anything
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.
Pending CVE number.
- Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
- Status changed from New to Assigned
- Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources
Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3954 added
- Pull request https://github.com/theforeman/foreman/pull/3961 added
- Target version set to 1.5.2
- Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added
- Target version changed from 1.5.2 to 1.4.3
- Pull request https://github.com/theforeman/foreman/pull/4172 added
- Target version changed from 1.4.3 to 169
- Target version deleted (
169)
- Target version set to 1.11.0
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
- Translation missing: en.field_release set to 209
- Pull request https://github.com/theforeman/foreman/pull/4327 added
- Pull request https://github.com/theforeman/foreman/pull/4328 added
- Pull request https://github.com/theforeman/foreman/pull/4329 added
- Related to Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopes added
- Related to Bug #18686: Fix broken tests after taxonomy scope change added
- Related to Bug #19313: Auto-provisioning does not orchestrate TFTP added
- Related to Bug #19409: Auto provision does not work after taxonomy fix added
- Related to deleted (Bug #19313: Auto-provisioning does not orchestrate TFTP)
- Related to Bug #20017: Mail notifications not being sent added
- Related to Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2 added
- Related to Bug #20515: User searching by login in code does not find the user because of missing unscoped added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by Anonymous 
Updated by 
Updated by 
Updated by