Bug 1006978 - Authenticated users are able to download consumer manifests that they don't own
Authenticated users are able to download consumer manifests that they don't own
Product: Candlepin
Classification: Community
Component: candlepin (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Devan Goodwin
Katello QA List
Depends On:
Blocks: 972873
  Show dependency treegraph
Reported: 2013-09-11 11:49 EDT by Chris Peters
Modified: 2016-05-19 01:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-12-19 08:30:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Chris Peters 2013-09-11 11:49:39 EDT
Description of problem:

Authenticated users are able to download any consumer manifests if they know the UUID of the consumer.

user: gss-test-1a
consumer uuid: ddf2dcf2-9414-4512-b3af-b2eb8830b58e

I am able to download this manifest as another user.

curl -v -H "cp-user: rhn-cservice-acarter" -X GET http://s03.candlepin.stage.ext.phx2.redhat.com:8080/candlepin/consumers/ddf2dcf2-9414-4512-b3af-b2eb8830b58e/export -o manifest.zip
Comment 1 William Poteat 2013-09-11 14:32:11 EDT
All areas where consumer info is retrieved needs to be locked down. The user must be associated to the owner that the consumer belongs to.
Comment 3 Devan Goodwin 2013-12-19 08:30:44 EST
New permissions work is present in candlepin-0.8.34-1.

Will require work on IT side as per email's / demo's / discussion on how to use it. 

More info here:


This is not QE testable per se, closing as CURRENTRELEASE.

Note You need to log in before you can comment on or make changes to this bug.