Bug 1589266
| Summary: | Users can see items which they don't have permissions/access to under services they own | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | jritenou | |
| Component: | API | Assignee: | Milan Zázrivec <mzazrivec> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Landon LaSmith <llasmith> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.9.0 | CC: | cpelland, duboyd, gtanzill, jamisonm, jritenou, lavenel, llasmith, obarenbo, simaishi | |
| Target Milestone: | GA | Keywords: | TestOnly, ZStream | |
| Target Release: | 5.10.0 | Flags: | gtanzill:
needinfo-
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | 5.10.0.2 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1594275 (view as bug list) | Environment: | ||
| Last Closed: | 2019-02-11 14:07:44 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1594275 | |||
|
Description
jritenou
2018-06-08 14:46:26 UTC
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low. Reassigning to API team to take a look at. The UI doesn't control what data comes back from API in order to decide what to hide or show an individual user. Please let me know if you would like my help in the future to test or validate this after API changes have been made. Chris, would you be able to provide us with the API call being made that is bringing VMs that the use shouldn't see? This way we can verify that RBAC is properly being enforced. Hi jritenou,
Do you have an appliance setup that can reproduce this issue that we can look at?
Thank you in advance,
Chris H
New commit detected on ManageIQ/manageiq-api/master: https://github.com/ManageIQ/manageiq-api/commit/7566ed9c7c6bfb57305d9456c98285f040a3346a commit 7566ed9c7c6bfb57305d9456c98285f040a3346a Author: Milan Zazrivec <mzazrivec> AuthorDate: Wed Jun 20 12:08:16 2018 -0400 Commit: Milan Zazrivec <mzazrivec> CommitDate: Wed Jun 20 12:08:16 2018 -0400 services?expand=vms: fetch RBAC-filtered list of vms https://bugzilla.redhat.com/show_bug.cgi?id=1589266 app/controllers/api/subcollections/vms.rb | 1 + 1 file changed, 1 insertion(+) VERIFIED in 5.10.0.8. I was able to create a user restricted to the engineering department that could only see services that were also tagged with Engineering. When completed services were created via a bundle the user could only see services that were tagged with Engineering |