Project

General

Profile

Feature #6321

Bastion pages should enforce permissions when entering the page

Added by Walden Raines over 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Web UI
Target version:
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1111695
Description of problem:

In other words you can copy/paste a URL and visit a Bastion page directly even if you don't have permissions to visit that page.

Version-Release number of selected component (if applicable):

Latest.

How reproducible:

Always.

Steps to Reproduce:
1. Create a role
2. Add a single filter to the role
3. Create a user
4. Add the role from step 1 to the user
5. Logout
6. Login as the user from step 3
7. Visit another bastion page not governed by the permission created in step 2
8. Note you can access the page (but nothing is displayed as the REST calls result in 403s).

Actual results:

You can access the page (but nothing is displayed as the REST calls result in 403s).

Expected results:

A message that tells the user they don't have permission to view this page
Additional info:


Related issues

Related to Katello - Feature #5217: As a user, I should have CRUD permissions for all entities that are exposed to me.Closed2014-04-16

Associated revisions

Revision 461630b5 (diff)
Added by Walden Raines over 6 years ago

Fixes #6321/BZ1111695: check permission before displaying bastion page.

Ensure the current user has the correct permission prior to displaying
the Bastion page. Before this commit the page would display with 403s
for any requests the user did not have access to.

http://projects.theforeman.org/issues/6321
https://bugzilla.redhat.com/show_bug.cgi?id=1111695

Revision 0d2fa2b0
Added by Walden Raines over 6 years ago

Merge pull request #4382 from waldenraines/6321

Fixes #6321/BZ1111695: check permission before displaying bastion page.

History

#1 Updated by Walden Raines over 6 years ago

  • Related to Feature #5217: As a user, I should have CRUD permissions for all entities that are exposed to me. added

#2 Updated by Eric Helms over 6 years ago

  • Target version set to 48
  • Difficulty set to easy
  • Triaged set to Yes

#3 Updated by Walden Raines over 6 years ago

  • Difficulty changed from easy to medium

#4 Updated by Walden Raines over 6 years ago

  • Tracker changed from Bug to Feature
  • Subject changed from Bastion pages do not enforce permissions when entering the page to Bastion pages should enforce permissions when entering the page

#5 Updated by Walden Raines over 6 years ago

  • Status changed from New to Assigned

#6 Updated by Walden Raines over 6 years ago

  • Status changed from Assigned to Ready For Testing

#7 Updated by Eric Helms over 6 years ago

  • Target version changed from 48 to 49

#8 Updated by The Foreman Bot over 6 years ago

  • Pull request https://github.com/Katello/katello/pull/4382 added

#9 Updated by Walden Raines over 6 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#10 Updated by Eric Helms about 6 years ago

  • Legacy Backlogs Release (now unused) set to 13

Also available in: Atom PDF