Bug 1208080

Summary: CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]
Product: Red Hat Satellite Reporter: Marek Hulan <mhulan>
Component: SecurityAssignee: Marek Hulan <mhulan>
Status: CLOSED NEXTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: bbuckingham, bkearney, cwelton, jrusnack, katello-qa-list, ohadlevy
Target Milestone: UnspecifiedKeywords: Security, SecurityTracking, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9947
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: 1208071 Environment:
Last Closed: 2015-06-30 16:47:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1208071    
Bug Blocks: 1207589    

Description Marek Hulan 2015-04-01 10:41:33 UTC 
+++ This bug was initially created as a clone of Bug #1208071 +++

I created a new user with a dedicated role with the following permissions:

Host/managed: 	view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.

--- Additional comment from Marek Hulan on 2015-04-01 06:28:17 EDT ---

Created from redmine issue http://projects.theforeman.org/issues/9947
Comment 2 Bryan Kearney 2015-04-09 16:06:34 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/9947 has been closed
-------------
Marek Hulán
Applied in changeset commit:abe910f2a46f4ecc1f349263d0b4751ed46ff200.
Comment 4 Bryan Kearney 2015-06-30 16:47:17 UTC 
This bug is resolved in the Satellite 6.1 code base in bug https://bugzilla.redhat.com/show_bug.cgi?id=1208071. We are not planning to backport this to 6.0, and are therefore closing out this bug. Please feel free to contact bkearney and dcaplan with any issues.