Project

General

Profile

Bug #9724

Content Views leak information under certian conditions

Added by Pat Riehecky about 7 years ago. Updated almost 4 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
-
Category:
Web UI
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

As a non-admin user, under the correct conditions I can use content views from Organizations I do not have access to.

Steps to reproduce:
. Create an Org, assign hosts, content views, puppet modules, and a lifcycle
. ensure a content view is published to Library, but not any custom lifecycle
. Create a new Org, no new locations or existing ones
. Create a dedicated test user
. Put this user in the org and grant them all non-admin permissions
. Login as new user
. Create a New Host
. Put that host in the Library lifecycle
. Assign the content view to one from the wrong org!

Following the above steps I was able to assign Default Organization View to a host in the Org "New Test Org" with an unpriviledged user.

History

#1 Updated by Eric Helms about 7 years ago

  • Target version set to 67
  • Triaged changed from No to Yes

#2 Updated by Eric Helms about 7 years ago

  • Target version changed from 67 to 68

#3 Updated by Eric Helms about 7 years ago

  • Status changed from New to Need more information

The 'Default Organization View' exists and is created for every organization, just as a Library is created for every organization. Can you check that you aren't seeing repositories bleed across organizations within their default views? Also, when you say 'all non-admin permissions' what exactly do you mean?

#4 Updated by Pat Riehecky about 7 years ago

when you say 'all non-admin permissions' what exactly do you mean?

All available roles, Boot disk, Discovery Manager, Discovery Reader, Edit hosts, Edit partition tables, Manager, Provisioning, site manager, view hosts, viewer

My test org has no products or repos defined and as a non-admin user I cannot see those of the other orgs through the web interface.

I'm unable to register the host via subscription-manager as the lifecycle does not appear in the activation key view and my user/pass auth seems to be non-functional for this host.

#5 Updated by Justin Sherrill about 7 years ago

  • Legacy Backlogs Release (now unused) changed from 34 to 23

#6 Updated by Eric Helms about 7 years ago

  • Target version deleted (68)

#7 Updated by Eric Helms about 7 years ago

Pat,

It doesn't sound like for your test organization and non-admin user that you gave them any content permissions other than the 'reader' which should be able to see all the things. This would correspond with not being able to register as that requires a particular permission.

#8 Updated by Eric Helms about 7 years ago

  • Legacy Backlogs Release (now unused) changed from 23 to 51

#9 Updated by Eric Helms about 7 years ago

  • Legacy Backlogs Release (now unused) changed from 51 to 55

#10 Updated by Eric Helms almost 7 years ago

  • Legacy Backlogs Release (now unused) changed from 55 to 61

#11 Updated by Eric Helms almost 7 years ago

  • Status changed from Need more information to Rejected
  • Legacy Backlogs Release (now unused) deleted (61)

Closing as rejected for now, if you re-visit and find issues with more information for us, please re-open.

#12 Updated by Eric Helms almost 6 years ago

  • Legacy Backlogs Release (now unused) set to 166

Also available in: Atom PDF