Host group filter bypassed due to unlimited view_hosts filter on anonymous role
Since updating to 1.5.0-1, my host filters aren't working. For example, I have a group within my organization that needs access to only certain hosts and shouldn't be able to view any hosts. Their role currently gives the most of the host/managed permissions but filtered to a specific hostgroup. For whatever reason, they can see all of the hosts still (specifically the YAML button works for all hosts). They can only edit/manage hosts in the hostgroup though.
#1 Updated by Dominic Cleal about 5 years ago
- Status changed from New to Feedback
They might be picking up the additional permission from the "Anonymous" role (poorly named), which is applied to all users in addition to any other roles you've created. This role contains view_hosts with an unlimited filter by default.
Try removing the view_hosts permission from Anonymous, then ensure users get it via a more specialised role.
#4 Updated by Dominic Cleal about 5 years ago
- Subject changed from Host filters not working to Host group filter bypassed due to unlimited view_hosts filter on anonymous role
- Status changed from Feedback to New
Yes, it's not visible from the web UI as it's a built-in role, but it's applied automatically to every user. It seems we missed this nuanced interaction between roles in the migration, apologies.
#6 Updated by Dominic Cleal over 3 years ago
- Status changed from New to Rejected
I think this issue was only present in the upgrade to 1.5.0. New installations since do not have view_hosts in the anonymous role. Since the release is over five versions old now, I'm closing this as the upgrade is not going to get fixed now.