A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task. I know UUIDs are tough to guess, but... This was introduced in foreman-tasks@79a0e2cb5 [1], before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed. Steps to reproduce: 1) Have foreman with foreman-tasks >= 0.7.8 2) Trigger a couple of tasks 3) Create a user, assign no roles to the user 4.1) As the user, visit $foreman/foreman_tasks/tasks/$UUID, where $UUID is UUID of a task from 2) 4.2) As the user, visit $foreman/foreman_tasks/tasks/$UUID/sub_tasks, where $UUID is UUID of a task from 2) which has sub tasks 4.3) As the user, perform get request against $foreman/foreman_tasks/api/tasks/$UUID Actual result: In the UI, task details are shown. For task with sub tasks, sub tasks are shown on an index-like page. In the API, details are provided. Expected result: In the UI, permission denied page is shown. In the API , the request fails with either 403 or 404. <pre> # curl -u user:changeme -k https://localhost/foreman_tasks/api/tasks/f4211c3e-467f-405e-a70c-980d6c4d4e0f 2>/dev/null | ruby -e "require 'json'; puts JSON.pretty_generate(JSON.parse(STDIN.read))" { "id": "f4211c3e-467f-405e-a70c-980d6c4d4e0f", "label": "Actions::RemoteExecution::RunHostJob", "pending": false, "action": "Remote action: Run sleep 60 on helpful-snipe.lxd", "username": "admin", "started_at": "2019-07-10 12:21:44 UTC", "ended_at": "2019-07-10 12:22:50 UTC", "state": "stopped", "result": "success", "progress": 1.0, "input": { "host": { "id": 1, "name": "helpful-snipe.lxd" }, "job_category": "Commands", "description": "Run sleep 60", "delegated_action_id": 2, "locale": "en", "current_request_id": null, "current_timezone": "Europe/Prague", "current_user_id": 4, "current_organization_id": 1, "current_location_id": 2 }, "output": { }, "humanized": { "action": "Remote action:", "input": "Run sleep 60 on helpful-snipe.lxd", "output": "Exit status: 0", "errors": [ ] }, "cli_example": null } </pre> [1] - https://github.com/theforeman/foreman-tasks/pull/151/commits/79a0e2cb52fbf872863a3a176e5b1d9a09fc984d
Created from redmine issue https://projects.theforeman.org/issues/27275
Upstream bug assigned to aruzicka
*** Bug 1729143 has been marked as a duplicate of this bug. ***
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/27275 has been resolved.
*** Bug 1729351 has been marked as a duplicate of this bug. ***
Verified with steps from problem description.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3172