Project

General

Profile

Actions
Copy link

Bug #36097

closed

User without view_provisioning_templates permission is able to see the rendered template

Added by Bernhard Suttner almost 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Bernhard Suttner
Category:
Security
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/9624
Fixed in Releases:
3.7.0
Found in Releases:
Red Hat JIRA:

Description

On Hosts -> Review template page, its possible for user to see the rendered template - even that the user doesn't have the view_provisioning_templates permission.

As rendered template may contain passwords or other data which should be protected, it should not be possible to see the rendered template without having the view_provisioning_templates right.

Actions
Copy link
 #1

Updated by The Foreman Bot almost 2 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Bernhard Suttner
  • Pull request https://github.com/theforeman/foreman/pull/9624 added
Actions
Copy link
 #2

Updated by The Foreman Bot over 1 year ago

  • Fixed in Releases 3.7.0 added
Actions
Copy link
 #3

Updated by Bernhard Suttner over 1 year ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #4

Updated by Ewoud Kohl van Wijngaarden over 1 year ago

  • Category set to Security
  • Triaged changed from No to Yes
Actions
Copy link

Also available in: Atom PDF