Project

General

Profile

Bug #5672

Host group filter bypassed due to unlimited view_hosts filter on anonymous role

Added by Mike McRill over 5 years ago. Updated over 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Authorization
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Since updating to 1.5.0-1, my host filters aren't working. For example, I have a group within my organization that needs access to only certain hosts and shouldn't be able to view any hosts. Their role currently gives the most of the host/managed permissions but filtered to a specific hostgroup. For whatever reason, they can see all of the hosts still (specifically the YAML button works for all hosts). They can only edit/manage hosts in the hostgroup though.


Related issues

Related to Foreman - Bug #6361: menu item "Hosts --> All hosts" is visible to normal user from anonymous role by defaultClosed2014-06-24
Blocks Foreman - Tracker #4552: New permissions/authorization system issuesNew

History

#1 Updated by Dominic Cleal over 5 years ago

  • Status changed from New to Feedback

They might be picking up the additional permission from the "Anonymous" role (poorly named), which is applied to all users in addition to any other roles you've created. This role contains view_hosts with an unlimited filter by default.

Try removing the view_hosts permission from Anonymous, then ensure users get it via a more specialised role.

#2 Updated by Dominic Cleal over 5 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added

#3 Updated by Mike McRill over 5 years ago

Removing view hosts from the default anonymous role fixed it. Curiously enough, no one has that role assigned--only the one I created via group membership.

#4 Updated by Dominic Cleal over 5 years ago

  • Subject changed from Host filters not working to Host group filter bypassed due to unlimited view_hosts filter on anonymous role
  • Status changed from Feedback to New

Yes, it's not visible from the web UI as it's a built-in role, but it's applied automatically to every user. It seems we missed this nuanced interaction between roles in the migration, apologies.

#5 Updated by Dominic Cleal about 5 years ago

  • Related to Bug #6361: menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default added

#6 Updated by Dominic Cleal over 3 years ago

  • Status changed from New to Rejected

I think this issue was only present in the upgrade to 1.5.0. New installations since do not have view_hosts in the anonymous role. Since the release is over five versions old now, I'm closing this as the upgrade is not going to get fixed now.

Also available in: Atom PDF