Actions
Bug #16982
closed
CVE-2016-7078 - User with no organizations or locations can see all resources
Difficulty:
Triaged:
Pull request:
Description
The default scope for hosts does not restrict properly by taxonomies. Given this use case:
1. User has role 'Edit host'
2. User has no organization or location
3. User logs in, goes to /hosts and can do anything it's permissions allow to. The list of hosts is unrestricted and shows hosts in any location or organization.
4. If the user gets a taxonomy assigned to it, then the restriction works normally.
This should work so that:
- Users without taxonomies, when set to 'any context' cannot see anything
- Users with taxonomies, when set to 'any context' can see everything within all of their taxonomies context.
- Admins set to 'any context' can see everything - regardless of whether it has a taxonomy or not.
- Users or admins set to some organization/location scope can only see stuff within scope.Pending CVE number.
Updated by Dominic Cleal over 7 years ago
- Subject changed from User with no taxonomies can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all hosts
- Status changed from New to Assigned
Updated by Dominic Cleal over 7 years ago
- Subject changed from CVE-2016-7078 - User with no organizations or locations can see all hosts to CVE-2016-7078 - User with no organizations or locations can see all resources
Applies to both hosts and objects linked to multiple orgs/locs (via Taxonomix).
Updated by The Foreman Bot over 7 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3954 added
Updated by The Foreman Bot over 7 years ago
- Pull request https://github.com/theforeman/foreman/pull/3961 added
Updated by Daniel Lobato Garcia over 7 years ago
- Copied to Bug #17266: Fix tests that depend on CVE 2016-7078 added
Updated by Daniel Lobato Garcia over 7 years ago
- Target version changed from 1.5.2 to 1.4.3
Updated by The Foreman Bot over 7 years ago
- Pull request https://github.com/theforeman/foreman/pull/4172 added
Updated by Daniel Lobato Garcia over 7 years ago
- Target version changed from 1.4.3 to 169
Updated by
Updated by Anonymous about 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 5f606e11cf39719bf62f8b1f3396861b32387905.
Updated by Dominic Cleal about 7 years ago
- translation missing: en.field_release set to 209
Updated by The Foreman Bot about 7 years ago
- Pull request https://github.com/theforeman/foreman/pull/4327 added
Updated by The Foreman Bot about 7 years ago
- Pull request https://github.com/theforeman/foreman/pull/4328 added
Updated by The Foreman Bot about 7 years ago
- Pull request https://github.com/theforeman/foreman/pull/4329 added
Updated by Dominic Cleal about 7 years ago
- Related to Bug #18662: Ensure Taxonomix empty default scope isn't overridden by association scopes added
Updated by Lukas Zapletal about 7 years ago
- Related to Bug #18686: Fix broken tests after taxonomy scope change added
Updated by Lukas Zapletal almost 7 years ago
- Related to Bug #19313: Auto-provisioning does not orchestrate TFTP added
Updated by Ohad Levy almost 7 years ago
- Related to Bug #19409: Auto provision does not work after taxonomy fix added
Updated by Lukas Zapletal almost 7 years ago
- Related to deleted (Bug #19313: Auto-provisioning does not orchestrate TFTP)
Updated by Marek Hulán almost 7 years ago
- Related to Bug #20017: Mail notifications not being sent added
Updated by Marek Hulán almost 7 years ago
- Related to Bug #20321: Cannot use foreman-rake import:puppet_classes on Foreman 1.15.1/Katello 3.4.2 added
Updated by Marek Hulán over 6 years ago
- Related to Bug #20515: User searching by login in code does not find the user because of missing unscoped added
Actions