Project

General

Profile

Actions

Bug #9947

closed

CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership

Added by Andy Taylor almost 9 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Organizations and Locations
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

I created a new user with a dedicated role with the following permissions:

Host/managed: view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.


Related issues 4 (0 open4 closed)

Related to Foreman - Refactor #10025: Move taxonomy related methods and scopes to Host::BaseClosedMarek Hulán04/06/2015Actions
Related to Discovery - Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomiesClosedLukas Zapletal04/02/2015Actions
Related to Foreman - Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5Feedback06/24/2015Actions
Blocked by Foreman - Bug #9967: Unit tests do not isolate user setupClosedMarek Hulán03/31/2015Actions
Actions #1

Updated by Dominic Cleal almost 9 years ago

  • Category changed from API to Organizations and Locations
Actions #2

Updated by Marek Hulán almost 9 years ago

  • Status changed from New to Assigned
  • Assignee set to Marek Hulán
Actions #3

Updated by The Foreman Bot almost 9 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2273 added
  • Pull request deleted ()
Actions #4

Updated by Dominic Cleal almost 9 years ago

  • Subject changed from GET /api/hosts doesn't respect organization/location membership to CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
Actions #6

Updated by Marek Hulán almost 9 years ago

  • Bugzilla link set to 1208071
Actions #7

Updated by Marek Hulán almost 9 years ago

  • Blocked by Bug #9967: Unit tests do not isolate user setup added
Actions #8

Updated by Marek Hulán almost 9 years ago

  • translation missing: en.field_release set to 40
Actions #9

Updated by Dominic Cleal almost 9 years ago

  • Related to Refactor #10025: Move taxonomy related methods and scopes to Host::Base added
Actions #10

Updated by Dominic Cleal almost 9 years ago

  • Related to Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomies added
Actions #11

Updated by Marek Hulán almost 9 years ago

  • % Done changed from 0 to 100
  • Status changed from Ready For Testing to Closed
Actions #12

Updated by Daniel Lobato Garcia almost 9 years ago

Warning for the release notes: this PR will make global (unscoped by organization/location) objects invisible to all users except for admins. If you want to make global objects you should assign them to all taxonomies.

Actions #13

Updated by Dominic Cleal over 8 years ago

  • Related to Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5 added
Actions

Also available in: Atom PDF