1208080 – CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]

Bug 1208080 - CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite_6.0.z]

Summary: CVE-2015-1844 foreman: API not scoping resources to taxonomies [rhn_satellite...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Security
Sub Component:
Version:	6.0.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Marek Hulan
QA Contact:	Katello QA List
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:	1208071
Blocks:	CVE-2015-1844
TreeView+	depends on / blocked

Reported:	2015-04-01 10:41 UTC by Marek Hulan
Modified:	2016-04-22 15:36 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:
Clone Of:	1208071
Environment:
Last Closed:	2015-06-30 16:47:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	9947	0	None	None	None	2016-04-22 15:36:16 UTC

Description Marek Hulan 2015-04-01 10:41:33 UTC

+++ This bug was initially created as a clone of Bug #1208071 +++

I created a new user with a dedicated role with the following permissions:

Host/managed: 	view_hosts

The user is a member of 1 organization and 2/4 locations. When logging in via the web interface, the user can only see the hosts belonging to that 1 organization/2 locations. However, an API call via /api/hosts lists the hosts of all organizations and all locations. The only way I could fix this was by applying a location/organization restriction to the view_hosts filter on the role.

--- Additional comment from Marek Hulan on 2015-04-01 06:28:17 EDT ---

Created from redmine issue http://projects.theforeman.org/issues/9947

Comment 2 Bryan Kearney 2015-04-09 16:06:34 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/9947 has been closed
-------------
Marek Hulán
Applied in changeset commit:abe910f2a46f4ecc1f349263d0b4751ed46ff200.

Comment 4 Bryan Kearney 2015-06-30 16:47:17 UTC

This bug is resolved in the Satellite 6.1 code base in bug https://bugzilla.redhat.com/show_bug.cgi?id=1208071. We are not planning to backport this to 6.0, and are therefore closing out this bug. Please feel free to contact bkearney and dcaplan with any issues.

Note You need to log in before you can comment on or make changes to this bug.