Project

General

Profile

Bug #23994

It is possible to update template in organizations user does not have permission for when importing a template

Added by Ondřej Pražák 8 months ago. Updated 7 months ago.

Status:
Closed
Priority:
High
Category:
Templates
Target version:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Steps to reproduce:

1) Create non-admin user_a with Manager role in OrgA and LocA only, same for user_b, OrgB and LocB
2) try importing a new template as user_a into OrgB and LocB with the following command:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

You will not be permitted to do so as expected.

3) Now import the template into OrgA, LocA as user_a, which succeeds:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgA\nlocations:\n - LocA\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

4) Try importing template with the same name as user_b into LocB and OrgB:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_b:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest again"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

The result will be a successfully imported template with the template assigned to LocB and OrgB only, user_b was thus able to update something he does not have permissions for and user_a can no longer use that template since it was removed from OrgA and LocA and its original content likely overwritten with whatever user_b posted.

Associated revisions

Revision 943bc1a2 (diff)
Added by Ondřej Pražák 8 months ago

Fixes #23994 - Do not update templates out of scope

History

#1 Updated by The Foreman Bot 8 months ago

  • Assignee set to Ondřej Pražák
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/5725 added

#2 Updated by Tomer Brisker 8 months ago

  • Triaged set to Yes
  • Legacy Backlogs Release (now unused) set to 330

#3 Updated by Ondřej Pražák 8 months ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed

#4 Updated by The Foreman Bot 7 months ago

  • Pull request https://github.com/theforeman/foreman/pull/5798 added

Also available in: Atom PDF