Project

General

Profile

Actions
Copy link

Bug #28855

closed

Database template finder ignores taxonomy

Added by Lukas Zapletal about 4 years ago. Updated about 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
Templates
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/7386
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

When unattended controller renders a template, it finds it in a correct taxonomy in method provisioning_template, but then it is passed into the renderer outside of the taxonomy block in TemplateRendering#render_template. Therefore all snippets being loaded via SnippetRendering#snippet (source.find_snippet(name)) is called without Taxonomy handling (basically unscoped SQL query). This is possibly a security issue as well when all snippets are essentially shared across all organizations even when taxonomy is not set like that.

Actions
Copy link
 #1

Updated by The Foreman Bot about 4 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Lukas Zapletal
  • Pull request https://github.com/theforeman/foreman/pull/7386 added
Actions
Copy link
 #2

Updated by Lukas Zapletal about 4 years ago

  • Status changed from Ready For Testing to Rejected
Actions
Copy link

Also available in: Atom PDF