Red Hat Bugzilla – Bug 163614
Java Security for Errata
Last modified: 2007-04-18 13:29:32 EDT
Currently the java stack doesn't test whether a user has access to view an
erratum before looking it up. The result is that a user could type in the eid
in the url for the Errata Details page and view an erratum that he or she does
not have access to view.
Ken, this will need a testplan.
First, find an id for an erratum some user cannot view. An erratum is viewable
by anyone in an org that has permissions to a channel in which that erratum is.
Log in as the user that cannot view the selected erratum. Go to Errata->Click
an Erratum->Modify the url so that the eid parameter is the selected,
non-viewable erratum. This can be done on every java page that shows details
Expected Results: A Lookup error page.
Failure Results: Errata Details
will QA this.
works fine, tested each of the errata java pages. prod_ready.