Bug #9947
closed
CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
Added by Andy Taylor about 9 years ago.
Updated almost 6 years ago.
Category:
Organizations and Locations
|
|
Description
I created a new user with a dedicated role with the following permissions:
Host/managed: view_hosts
The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.
- Category changed from API to Organizations and Locations
- Status changed from New to Assigned
- Assignee set to Marek Hulán
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/2273 added
- Pull request deleted (
- Subject changed from GET /api/hosts doesn't respect organization/location membership to CVE-2015-1844 - GET /api/hosts doesn't respect organization/location membership
- Bugzilla link set to 1208071
- Blocked by Bug #9967: Unit tests do not isolate user setup added
- translation missing: en.field_release set to 40
- Related to Refactor #10025: Move taxonomy related methods and scopes to Host::Base added
- Related to Bug #10005: CVE-2015-1844 - Discovery hosts are not restricted to user taxonomies added
- % Done changed from 0 to 100
- Status changed from Ready For Testing to Closed
Warning for the release notes: this PR will make global (unscoped by organization/location) objects invisible to all users except for admins. If you want to make global objects you should assign them to all taxonomies.
- Related to Bug #10918: Provisioning templates no longer resolve/available for non-admin users in Foreman 1.7.5 added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by