Bug 1126840 - Models should ensure the authorization of associated objects before associating them to the model
Summary: Models should ensure the authorization of associated objects before associati...
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
high vote
Target Milestone: Unspecified
Assignee: Eric Helms
QA Contact: Katello QA List
URL: http://projects.theforeman.org/issues...
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-05 12:23 UTC by Eric Helms
Modified: 2018-09-04 17:44 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2018-09-04 17:44:52 UTC

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Foreman Issue Tracker 6760 None None None 2016-04-22 15:38:11 UTC

Description Eric Helms 2014-08-05 12:23:41 UTC
While this issue is systematic, I'll provide an example using domains and subnets to illustrate the problem.

As an admin:
1. Create a new domain: "example.org"
2. Create a User: "testuser"
3. Create a new Role: "Subnets Role"
4. Add a Filter to the Role with - Type: Subnets, Permissions: create_subnets, view_subnets

As testuser:

curl -u testuser:testuser -X POST -d '{"name": "subnet1", "network": "", "mask": "", "domains": [{"id": 1}]}' -H "Content-Type: application/json"

Comment 1 Eric Helms 2014-08-05 12:23:42 UTC
Created from redmine issue http://projects.theforeman.org/issues/6760

Comment 2 Eric Helms 2014-08-05 12:23:44 UTC
Upstream bug assigned to ehelms@redhat.com

Comment 5 Bryan Kearney 2015-08-25 17:59:55 UTC
Upstream bug component is Users & Roles

Comment 8 Kurt Seifried 2017-03-07 03:56:12 UTC
Is this a hardening issue? It appears not directly exploitable, correct?

Comment 9 Bryan Kearney 2017-03-08 14:28:09 UTC
I will defer to eric, but I think you need to be authenticated to exploit this.

Comment 10 Kurt Seifried 2017-03-29 02:35:28 UTC
Mar 28 16:28:38 <ehelms>        it could let them associate an object to another object when they only had access to object A, there are protections in place in some cases, this is a kind of harden it at the model layer to prevent it vs the controller layer

So I'm going to go with hardening unless a clear avenue of exploitation comes to light.

Comment 11 Eric Helms 2017-10-19 14:14:42 UTC
Brad is correct, and I agree with Kurt's assessment of hardening.

Comment 18 Bryan Kearney 2018-09-04 17:44:52 UTC
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.

Note You need to log in before you can comment on or make changes to this bug.