Bug #9724
closed
Content Views leak information under certian conditions
Description
As a non-admin user, under the correct conditions I can use content views from Organizations I do not have access to.
Steps to reproduce:
. Create an Org, assign hosts, content views, puppet modules, and a lifcycle
. ensure a content view is published to Library, but not any custom lifecycle
. Create a new Org, no new locations or existing ones
. Create a dedicated test user
. Put this user in the org and grant them all non-admin permissions
. Login as new user
. Create a New Host
. Put that host in the Library lifecycle
. Assign the content view to one from the wrong org!
Following the above steps I was able to assign Default Organization View to a host in the Org "New Test Org" with an unpriviledged user.
Updated by Eric Helms almost 10 years ago
- Target version set to 67
- Triaged changed from No to Yes
Updated by Eric Helms almost 10 years ago
- Status changed from New to Need more information
The 'Default Organization View' exists and is created for every organization, just as a Library is created for every organization. Can you check that you aren't seeing repositories bleed across organizations within their default views? Also, when you say 'all non-admin permissions' what exactly do you mean?
Updated by Pat Riehecky almost 10 years ago
when you say 'all non-admin permissions' what exactly do you mean?
All available roles, Boot disk, Discovery Manager, Discovery Reader, Edit hosts, Edit partition tables, Manager, Provisioning, site manager, view hosts, viewer
My test org has no products or repos defined and as a non-admin user I cannot see those of the other orgs through the web interface.
I'm unable to register the host via subscription-manager as the lifecycle does not appear in the activation key view and my user/pass auth seems to be non-functional for this host.
Updated by Justin Sherrill almost 10 years ago
- Translation missing: en.field_release changed from 34 to 23
Updated by Eric Helms almost 10 years ago
Pat,
It doesn't sound like for your test organization and non-admin user that you gave them any content permissions other than the 'reader' which should be able to see all the things. This would correspond with not being able to register as that requires a particular permission.
Updated by Eric Helms almost 10 years ago
- Translation missing: en.field_release changed from 23 to 51
Updated by Eric Helms almost 10 years ago
- Translation missing: en.field_release changed from 51 to 55
Updated by Eric Helms over 9 years ago
- Translation missing: en.field_release changed from 55 to 61
Updated by Eric Helms over 9 years ago
- Status changed from Need more information to Rejected
- Translation missing: en.field_release deleted (
61)
Closing as rejected for now, if you re-visit and find issues with more information for us, please re-open.
Updated by Eric Helms over 8 years ago
- Translation missing: en.field_release set to 166