Project

General

Profile

Actions

Bug #1582

closed

Privacy leak in dashboard, statistics, facts and classes.

Added by Brian Gupta almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Note that if using roles and user based domain filters, the dashboard still shows stats for hosts that the user isn't supposed to know about.

The same issue is present for stats, facts and classes.

Actions #1

Updated by Greg Sutcliffe almost 12 years ago

  • % Done changed from 0 to 70

Ok, I've had a bash at it, and I think I've fixed all but the Classes. You can find the patch at https://github.com/GregSutcliffe/foreman/tree/1582 and if you have time to test, I'd be grateful.

As for the Classes, I'm thinking that we might be able to build a db query about what classes are available to every host the user can edit. Could be tricky, but I'll see if I can take a look over the weekend.

Actions #2

Updated by Greg Sutcliffe almost 12 years ago

Ok, pull request in (https://github.com/theforeman/foreman/pull/53). It seems classes are already filtered by the environment the host is in, so I guess we need to:

a) Provide a way for an Admin to restrict what environments a user can select when editing a host.
b) Ensure that if the user can see the Puppet Classes page, that it only shows classes available to the environments configured in (a)

@bgupta, if you agree, I'll create a feature request for that and we can close this when 53 is merged....

Actions #3

Updated by Greg Sutcliffe almost 12 years ago

  • Status changed from New to Closed
  • % Done changed from 70 to 100
Actions

Also available in: Atom PDF