Bug 439272 - Users can directly access channels they don't have access to
Users can directly access channels they don't have access to
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
510
All Linux
high Severity medium
: ---
: ---
Assigned To: Justin Sherrill
Preethi Thomas
:
Depends On:
Blocks: 456998
  Show dependency treegraph
 
Reported: 2008-03-27 16:00 EDT by Justin Sherrill
Modified: 2009-09-10 15:47 EDT (History)
2 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 15:47:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Justin Sherrill 2008-03-27 16:00:07 EDT
The individual channel pages grant access to users that don't have permissions
to access them.  bug 172796 should fix the channel lists to not show them, but
there are other places that users can access those links (and they could also
guess at channel ids)

AS an org admin
1. Create custom channel thats not globally subscribable
2. Create a new user X
3. Create a new system group SG and assign X  as an admin to the to SG.
4. Create a new activation key, set the custom channel as the base channel and
SG as the group.
5. Mark the activation key as the org default.
6. Register systems using this activation key.
7. Login as X and Click systems.
8. Notice that a clickable Custom Channel link is shown in the systems list. 
9. Click the custom channel link
Notice that X is able to access the custom channel completely even though the
user is NOT subscribed for this channel....


Step 9 should throw a permissions error
Comment 1 Justin Sherrill 2009-03-12 17:29:55 EDT
Looks like this was fixed with multiorg part 2...
Comment 2 Preethi Thomas 2009-04-09 12:39:29 EDT
fails_qa.
Satellite-5.3.0-RHEL5-re20090403.2-i386-embedded-oracle.iso
you arrive at the 
 We're sorry, but the channel could not be found.  page and a web traceback.

It would be better to get a permission error rather than the not found error.
The following exception occurred while executing this request:
GET /rhn/WEB-INF/pages/common/errors/lookup.jsp

Date:4/9/09 11:53:24 AM EDT
Headers:
  host: rlx-3-24.rhndev.redhat.com
  user-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.2) Gecko/2008091816 Red Hat/3.0.2-3.el5 Firefox/3.0.2
  accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
  accept-language: en-us,ar;q=0.8,ja;q=0.5,ml;q=0.3
  accept-encoding: gzip,deflate
  accept-charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  Keep-Alive: 300
  connection: keep-alive
  referer: https://rlx-3-24.rhndev.redhat.com/rhn/systems/SystemList.do
  cookie: JSESSIONID=A54363D9E9164A5A9914BD16B6C15A5C; rh_omni_tc=70160000000H4AjAAK; s_vi=[CS]v1|499AD56A000016E6-A3A095600005320[CE]; pxt-session-cookie=64x8f366f50c66f1cbe75ad8d323eee3d8d

Request:
Local Name = rlx-3-24.rhndev.redhat.com
Server Name = rlx-3-24.rhndev.redhat.com
Requested Session Id came from Cookie
Requested Session Valid = true
Session = org.apache.catalina.session.StandardSessionFacade@5c105c10[session=StandardSession[A54363D9E9164A5A9914BD16B6C15A5C]]
Protocol = https
Request Locale = en_US
Request Character Encoding = UTF-8
Attribute Names = rhnActiveLang, javax.servlet.include.request_uri, javax.servlet.include.context_path, javax.servlet.include.servlet_path, javax.servlet.jsp.jstl.fmt.timeZone.request, javax.servlet.request.key_size, javax.servlet.request.ssl_session, org.apache.struts.action.MESSAGE, javax.servlet.request.cipher_suite, error, org.apache.struts.action.EXCEPTION, org.apache.struts.action.MODULE, __sitemesh__using_stream, __sitemesh__filterapplied, session, org.apache.struts.action.mapping.instance, channelDetailForm, requestedUri,


User Information:
User pt-user1 (id 21, org_id 1)

Exception:
com.redhat.rhn.common.hibernate.LookupException: User 21 does not have access to channel 241 or the channel does not exist
        at com.redhat.rhn.manager.channel.ChannelManager.lookupByIdAndUser(ChannelManager.java:617)
        at com.redhat.rhn.frontend.action.channel.ChannelDetailsAction.execute(ChannelDetailsAction.java:56)
        at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:431)
        at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:237)
        at com.redhat.rhn.frontend.struts.RhnRequestProcessor.process(RhnRequestProcessor.java:82)
        at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196)
        at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:690)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.redhat.rhn.frontend.servlets.AuthFilter.doFilter(AuthFilter.java:73)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.opensymphony.module.sitemesh.filter.PageFilter.parsePage(PageFilter.java:142)
        at com.opensymphony.module.sitemesh.filter.PageFilter.doFilter(PageFilter.java:58)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.redhat.rhn.frontend.servlets.LocalizedEnvironmentFilter.doFilter(LocalizedEnvironmentFilter.java:67)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.redhat.rhn.frontend.servlets.EnvironmentFilter.doFilter(EnvironmentFilter.java:108)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.redhat.rhn.frontend.servlets.SessionFilter.doFilter(SessionFilter.java:55)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at com.redhat.rhn.frontend.servlets.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:97)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:215)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:172)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
        at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:200)
        at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:283)
        at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:773)
        at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:703)
        at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:895)
        at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
        at java.lang.Thread.run(Thread.java:735)
Comment 3 Justin Sherrill 2009-04-16 17:30:08 EDT
Hey Prethi, 

That page that i think your seeing states:

 We're sorry, but the channel could not be found.

This error may have occurred in one of three ways:

   1. The channel requested does not exist. This is most likely if you arrived at this page through bookmarks or some other non-hyperlink.
   2. You do not have permission to view this channel.
   3. You've found an error in our site. Please help us by filling out this form with details of how you received this message.



is that not adequate ?
Comment 4 Justin Sherrill 2009-04-17 11:34:09 EDT
talked to Preethi, moving back to on_QA
Comment 5 Preethi Thomas 2009-04-17 11:48:37 EDT
this seems to be fixed in the latest build.
verified
Satellite-5.3.0-RHEL5-re20090414.0-i386-embedded-oracle.iso
Comment 6 Brad Buckingham 2009-07-31 12:07:01 EDT
verified with 7/24 stage iso... moving to RELEASE_PENDING
Comment 7 Brandon Perkins 2009-09-10 15:47:40 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.