Project

General

Profile

Actions
Copy link

Bug #30880

closed

Add permission support to validate 404 on denial and multi permissions

Added by Partha Aji over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Partha Aji
Category:
Security
Target version:
Katello 3.18.0
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/Katello/katello/pull/8956
Fixed in Releases:
Katello 4.0.0
Found in Releases:
Red Hat JIRA:

Description

The current testing framework does not handle 404s on denial. This behaviour is consistent with foreman, 404 instead of 403 if object not authorized. 403 is only when route is not authorized.
We need to add support to this.
The current authorization does not handle multi permissions also. For example destroy_content_views and promote_or_remove_content_views either support 'removing' a content view. However the controller authorizer does not handle this correctly.

Related issues 1 (0 open1 closed)

Blocks Katello - Tracker #30872: Use proper authorization in controllersClosed

Actions
Actions
Copy link
 #1

Updated by Partha Aji over 4 years ago

  • Blocks Tracker #30872: Use proper authorization in controllers added
Actions
Copy link
 #2

Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/8956 added
Actions
Copy link
 #3

Updated by The Foreman Bot over 4 years ago

  • Fixed in Releases Katello 4.0.0 added
Actions
Copy link
 #4

Updated by Partha Aji over 4 years ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #5

Updated by Ian Ballou about 4 years ago

  • Target version set to Katello 3.18.0
Actions
Copy link
 #6

Updated by Ian Ballou about 4 years ago

  • Triaged changed from No to Yes
Actions
Copy link

Also available in: Atom PDF