Project

General

Profile

Bug #6760

Models should ensure the authorization of associated objects before associating them to the model

Added by Eric Helms over 4 years ago. Updated about 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Authorization
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

While this issue is systematic, I'll provide an example using domains and subnets to illustrate the problem.

As an admin:
1. Create a new domain: "example.org"
2. Create a User: "testuser"
3. Create a new Role: "Subnets Role"
4. Add a Filter to the Role with - Type: Subnets, Permissions: create_subnets, view_subnets

As testuser:

curl -u testuser:testuser -X POST -d '{"name": "subnet1", "network": "255.168.192.1", "mask": "255.255.255.0", "domains": [{"id": 1}]}' -H "Content-Type: application/json" http://10.13.129.41:3000/api/v2/subnets


Related issues

Related to Foreman - Feature #4477: Improve permissions on resources in host creation/editing formClosed2014-02-27
Related to Foreman - Bug #7221: Edit organization displays associated resources for use w/o permissionsClosed2014-08-21
Related to Foreman - Bug #7337: organizations UI does not filter resources to associate based upon RBACClosed2014-09-03
Related to Foreman - Feature #7289: ACL who can add a host to hostgroup.New2014-08-28
Blocks Katello - Bug #5720: Roles: Add scopes to finds in converted controllersNew2014-05-14

History

#1 Updated by The Foreman Bot over 4 years ago

  • Status changed from New to Ready For Testing
  • Target version set to 49
  • Pull request https://github.com/Katello/katello/pull/4483 added
  • Pull request deleted ()

#2 Updated by Eric Helms over 4 years ago

  • Project changed from Katello to Foreman
  • Target version deleted (49)

#3 Updated by The Foreman Bot over 4 years ago

  • Target version set to 1.8.0

#4 Updated by Dominic Cleal over 4 years ago

  • Category set to Authorization

#5 Updated by Dominic Cleal over 4 years ago

  • Related to Feature #4477: Improve permissions on resources in host creation/editing form added

#6 Updated by Dmitri Dolguikh over 4 years ago

  • Target version changed from 1.8.0 to 1.7.5

#7 Updated by Eric Helms over 4 years ago

  • Bugzilla link set to 1126840

#8 Updated by Eric Helms over 4 years ago

  • Blocks Bug #5720: Roles: Add scopes to finds in converted controllers added

#9 Updated by Dmitri Dolguikh over 4 years ago

  • Target version changed from 1.7.5 to 1.7.4

#10 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #7221: Edit organization displays associated resources for use w/o permissions added

#11 Updated by Dominic Cleal over 4 years ago

  • Related to Bug #7337: organizations UI does not filter resources to associate based upon RBAC added

#12 Updated by Dmitri Dolguikh over 4 years ago

  • Target version changed from 1.7.4 to 1.7.3

#13 Updated by Dominic Cleal over 4 years ago

  • Target version changed from 1.7.3 to 1.7.2

#14 Updated by Dominic Cleal about 3 years ago

  • Status changed from Ready For Testing to New
  • Assignee deleted (Eric Helms)
  • Target version deleted (1.7.2)
  • Pull request deleted (https://github.com/Katello/katello/pull/4483)

Associated PR was closed.

#15 Updated by Marek Hulán over 2 years ago

  • Related to Feature #7289: ACL who can add a host to hostgroup. added

Also available in: Atom PDF