Red Hat Bugzilla – Bug 1006978
Authenticated users are able to download consumer manifests that they don't own
Last modified: 2016-05-19 01:18:26 EDT
Description of problem:
Authenticated users are able to download any consumer manifests if they know the UUID of the consumer.
consumer uuid: ddf2dcf2-9414-4512-b3af-b2eb8830b58e
I am able to download this manifest as another user.
curl -v -H "cp-user: rhn-cservice-acarter" -X GET http://s03.candlepin.stage.ext.phx2.redhat.com:8080/candlepin/consumers/ddf2dcf2-9414-4512-b3af-b2eb8830b58e/export -o manifest.zip
All areas where consumer info is retrieved needs to be locked down. The user must be associated to the owner that the consumer belongs to.
New permissions work is present in candlepin-0.8.34-1.
Will require work on IT side as per email's / demo's / discussion on how to use it.
More info here:
This is not QE testable per se, closing as CURRENTRELEASE.