Project

General

Profile

Bug #12720

Technique Editor may ignores some error when authenticating, leading to unauthorized access

Added by Nicolas CHARLES 7 months ago. Updated 5 months ago.

Status:
Released
Priority:
N/A
Category:
Technique editor - API
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Priority:
107
Tags:

Description

A user in read-only can change techniques in the Technique Editor
User with role read_only can still update techniques
Note that the Technique Editor button is not present in this case in the Directive Tree


Related issues

Related to Rudder - Bug #12747: apache overwrites error response from RudderReleased

Associated revisions

Revision 655d3e2e (diff)
Added by Vincent MEMBRÉ 6 months ago

Fixes #12720: Technique Editor may ignores some error when authenticating

Revision 65ac84db (diff)
Added by Vincent MEMBRÉ 6 months ago

Fixes #12720: Technique Editor may ignores some error when authenticating, leading to unauthorized access

History

#1 Updated by François ARMAND 7 months ago

  • Tags set to Sponsored
  • Priority changed from 76 to 108

#2 Updated by Vincent MEMBRÉ 6 months ago

  • Target version changed from 4.3.2 to 4.1.13

#3 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from New to In progress

#4 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/1600

#5 Updated by Vincent MEMBRÉ 6 months ago

  • Project changed from Rudder to ncf
  • Subject changed from Technique Editor does not comply to authorization to Technique Editor may ignores some error when authenticating
  • Category changed from Security to Technique editor - API
  • Status changed from Pending technical review to New

#6 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from New to In progress
  • Assignee changed from François ARMAND to Vincent MEMBRÉ

#7 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
  • Pull Request changed from https://github.com/Normation/rudder-packages/pull/1600 to https://github.com/Normation/ncf/pull/767

#8 Updated by Vincent MEMBRÉ 6 months ago

  • Related to Bug #12747: apache overwrites error response from Rudder added

#9 Updated by Normation Quality Assistant 6 months ago

  • Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ

#10 Updated by Vincent MEMBRÉ 6 months ago

  • Subject changed from Technique Editor may ignores some error when authenticating to Technique Editor may ignores some error when authenticating, leading to unauthorized access

#11 Updated by Vincent MEMBRÉ 6 months ago

  • Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE

#12 Updated by Normation Quality Assistant 6 months ago

  • Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ

#13 Updated by Vincent MEMBRÉ 6 months ago

  • Status changed from Pending technical review to Pending release

#15 Updated by Vincent MEMBRÉ 5 months ago

  • Status changed from Pending release to Released
  • Priority changed from 108 to 107

This bug has been fixed in Rudder 4.1.13, 4.2.7 and 4.3.3 which were released today.

Also available in: Atom PDF