Project

General

Profile

Actions

Bug #23994

closed

It is possible to update template in organizations user does not have permission for when importing a template

Added by Ondřej Pražák almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
High
Category:
Templates
Target version:
Fixed in Releases:
Found in Releases:

Description

Steps to reproduce:

1) Create non-admin user_a with Manager role in OrgA and LocA only, same for user_b, OrgB and LocB
2) try importing a new template as user_a into OrgB and LocB with the following command:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

You will not be permitted to do so as expected.

3) Now import the template into OrgA, LocA as user_a, which succeeds:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_a:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgA\nlocations:\n - LocA\n%>\ntest"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

4) Try importing template with the same name as user_b into LocB and OrgB:

curl -H "Accept: application/json" -H "Content-Type: application/json" -k -X POST -u user_b:changeme https://$(hostname)/api/v2/provisioning_templates/import -d '{ "provisioning_template": {"name": "An org test", "template": "<%#\nkind: PXELinux\nname: An org test\nmodel: ProvisioningTemplate\norganizations:\n - OrgB\nlocations:\n - LocB\n%>\ntest again"}, "options": {"verbose": "true", "associate": "always"} }' | json_reformat

The result will be a successfully imported template with the template assigned to LocB and OrgB only, user_b was thus able to update something he does not have permissions for and user_a can no longer use that template since it was removed from OrgA and LocA and its original content likely overwritten with whatever user_b posted.

Actions #1

Updated by The Foreman Bot almost 6 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Ondřej Pražák
  • Pull request https://github.com/theforeman/foreman/pull/5725 added
Actions #2

Updated by Tomer Brisker almost 6 years ago

  • translation missing: en.field_release set to 330
  • Triaged set to Yes
Actions #3

Updated by Ondřej Pražák almost 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #4

Updated by The Foreman Bot over 5 years ago

  • Pull request https://github.com/theforeman/foreman/pull/5798 added
Actions

Also available in: Atom PDF