While this issue is systematic, I'll provide an example using domains and subnets to illustrate the problem. As an admin: 1. Create a new domain: "example.org" 2. Create a User: "testuser" 3. Create a new Role: "Subnets Role" 4. Add a Filter to the Role with - Type: Subnets, Permissions: create_subnets, view_subnets As testuser: curl -u testuser:testuser -X POST -d '{"name": "subnet1", "network": "255.168.192.1", "mask": "255.255.255.0", "domains": [{"id": 1}]}' -H "Content-Type: application/json" http://10.13.129.41:3000/api/v2/subnets
Created from redmine issue http://projects.theforeman.org/issues/6760
Upstream bug assigned to ehelms
Upstream bug component is Users & Roles
Is this a hardening issue? It appears not directly exploitable, correct?
I will defer to eric, but I think you need to be authenticated to exploit this.
Mar 28 16:28:38 <ehelms> it could let them associate an object to another object when they only had access to object A, there are protections in place in some cases, this is a kind of harden it at the model layer to prevent it vs the controller layer So I'm going to go with hardening unless a clear avenue of exploitation comes to light.
Brad is correct, and I agree with Kurt's assessment of hardening.
Thank you for your interest in Satellite 6. We have evaluated this request, and we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Rich Jerrido or Bryan Kearney. Thank you.