Problem: Someone can currently modify the POST request on the Channel Permissions and Assigned Server Groups pages under User Details to include channels or server groups managed by a different org and have their changes persist to the database. Solution: Prevent persisting of invalid data with regards to user channel permissions and user assigned server groups. Reproduce: 1. Login->go to Users->click a User->Channel Permissions 2. Right click and save source. 3. Modify the POST form to point to the correct domain (ex. /rhn/users -> https://rhn.webdev.redhat.com/rhn/users) 4. Add within the form tag a cid and selectedChannel from a different org. ex.( <input type="checkbox" name="selectedChannels" value="4211" /> <input type='hidden' name="cid" value="4211" /> ) 5. Browse to the page on your harddrive using a web browser. 6. Select the checkbox that shouldn't be there. 7. Click the button to submit the form. 8. See that the user's channel perms include the invalid channel: Select * from rhnUserChannel where user_id = :uid and channel_id = :cid For server group permissions, do the same as above with the following changes. 1. Login->go to Users->click a User->System Groups 4. <input type="checkbox" name="selectedGroups" value="4635208" /> <input type="hidden" name="cid" value="4635208" /> 8. See that the user's server group perms include the invalid group: Select * from rhnUserManagedServerGroups where user_id = :uid and server_group_id = :sgid
These holes are fixed on QA.