Bug #9724
closed
Content Views leak information under certian conditions
Added by Pat Riehecky almost 10 years ago.
Updated over 6 years ago.
Description
As a non-admin user, under the correct conditions I can use content views from Organizations I do not have access to.
Steps to reproduce:
. Create an Org, assign hosts, content views, puppet modules, and a lifcycle
. ensure a content view is published to Library, but not any custom lifecycle
. Create a new Org, no new locations or existing ones
. Create a dedicated test user
. Put this user in the org and grant them all non-admin permissions
. Login as new user
. Create a New Host
. Put that host in the Library lifecycle
. Assign the content view to one from the wrong org!
Following the above steps I was able to assign Default Organization View to a host in the Org "New Test Org" with an unpriviledged user.
- Target version set to 67
- Triaged changed from No to Yes
- Target version changed from 67 to 68
- Status changed from New to Need more information
The 'Default Organization View' exists and is created for every organization, just as a Library is created for every organization. Can you check that you aren't seeing repositories bleed across organizations within their default views? Also, when you say 'all non-admin permissions' what exactly do you mean?
when you say 'all non-admin permissions' what exactly do you mean?
All available roles, Boot disk, Discovery Manager, Discovery Reader, Edit hosts, Edit partition tables, Manager, Provisioning, site manager, view hosts, viewer
My test org has no products or repos defined and as a non-admin user I cannot see those of the other orgs through the web interface.
I'm unable to register the host via subscription-manager as the lifecycle does not appear in the activation key view and my user/pass auth seems to be non-functional for this host.
- Translation missing: en.field_release changed from 34 to 23
- Target version deleted (
68)
Pat,
It doesn't sound like for your test organization and non-admin user that you gave them any content permissions other than the 'reader' which should be able to see all the things. This would correspond with not being able to register as that requires a particular permission.
- Translation missing: en.field_release changed from 23 to 51
- Translation missing: en.field_release changed from 51 to 55
- Translation missing: en.field_release changed from 55 to 61
- Status changed from Need more information to Rejected
- Translation missing: en.field_release deleted (
61)
Closing as rejected for now, if you re-visit and find issues with more information for us, please re-open.
- Translation missing: en.field_release set to 166
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by