User in multiple Orgs gets 'Any Organization' option that really is any Org
I can create a user that belongs to a single Org and he sees vm's that belong to just his Org. But when I add a user to more than one Org he can choose any of those from the menu and see just hosts in that particular Org.
The problem is the user also gets an 'Any Organization' option (which they log in with by default) and can see vm's outside of their two Orgs. The user can also perform operations on the VM's in other Orgs, including deleting them.
#6 Updated by Jason Montleon about 6 years ago
- Target version deleted (
In 1.2 creating a non-admin user assigned to multiple orgs and then logging in as them will give you nil org, allowing you to see hosts and perform actions you shouldn't be able to.
Once you select an org there is no longer an 'Any Organization' option to easily get back, but logging out and clearing your browser history is enough to get back to a nil org (logging out and back in does not seem to be sufficient).
#7 Updated by Jason Montleon about 6 years ago
in the pull I submitted above the two lines:
+ elsif !User.current.admin?
in app/controllers/application_controller.rb stop the user from getting nil org when logging in if they are a non-admin.
I don't know if there are other ways to get nil org by being crafty, but this would at least be a start.