Bug 1006978 - Authenticated users are able to download consumer manifests that they don't own
Summary: Authenticated users are able to download consumer manifests that they don't own
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 0.9
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Devan Goodwin
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: 972873
TreeView+ depends on / blocked
 
Reported: 2013-09-11 15:49 UTC by Chris Peters
Modified: 2016-05-19 05:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-19 13:30:44 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Chris Peters 2013-09-11 15:49:39 UTC 
Description of problem:

Authenticated users are able to download any consumer manifests if they know the UUID of the consumer.

user: gss-test-1a
consumer uuid: ddf2dcf2-9414-4512-b3af-b2eb8830b58e

I am able to download this manifest as another user.

curl -v -H "cp-user: rhn-cservice-acarter" -X GET http://s03.candlepin.stage.ext.phx2.redhat.com:8080/candlepin/consumers/ddf2dcf2-9414-4512-b3af-b2eb8830b58e/export -o manifest.zip
Comment 1 William Poteat 2013-09-11 18:32:11 UTC 
All areas where consumer info is retrieved needs to be locked down. The user must be associated to the owner that the consumer belongs to.
Comment 3 Devan Goodwin 2013-12-19 13:30:44 UTC 
New permissions work is present in candlepin-0.8.34-1.

Will require work on IT side as per email's / demo's / discussion on how to use it. 

More info here:

https://fedorahosted.org/candlepin/wiki/AuthenticationAndAuthorization

This is not QE testable per se, closing as CURRENTRELEASE.
Note You need to log in before you can comment on or make changes to this bug.