Project

General

Profile

Actions

Bug #12720

closed

Technique Editor may ignores some error when authenticating, leading to unauthorized access

Added by Nicolas CHARLES over 6 years ago. Updated over 2 years ago.

Status:
Released
Priority:
N/A
Category:
Web - Technique editor
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

A user in read-only can change techniques in the Technique Editor
User with role read_only can still update techniques
Note that the Technique Editor button is not present in this case in the Directive Tree


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #12747: apache overwrites error response from RudderReleasedBenoît PECCATTEActions
Actions #1

Updated by François ARMAND over 6 years ago

  • Translation missing: en.field_tag_list set to Sponsored
  • Priority changed from 76 to 108
Actions #2

Updated by Vincent MEMBRÉ over 6 years ago

  • Target version changed from 4.3.2 to 4.1.13
Actions #3

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from New to In progress
Actions #4

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/1600
Actions #5

Updated by Vincent MEMBRÉ over 6 years ago

  • Project changed from Rudder to 41
  • Subject changed from Technique Editor does not comply to authorization to Technique Editor may ignores some error when authenticating
  • Category changed from Security to Technique editor - API
  • Status changed from Pending technical review to New
Actions #6

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from New to In progress
  • Assignee changed from François ARMAND to Vincent MEMBRÉ
Actions #7

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
  • Pull Request changed from https://github.com/Normation/rudder-packages/pull/1600 to https://github.com/Normation/ncf/pull/767
Actions #8

Updated by Vincent MEMBRÉ over 6 years ago

  • Related to Bug #12747: apache overwrites error response from Rudder added
Actions #9

Updated by Rudder Quality Assistant over 6 years ago

  • Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ
Actions #10

Updated by Vincent MEMBRÉ over 6 years ago

  • Subject changed from Technique Editor may ignores some error when authenticating to Technique Editor may ignores some error when authenticating, leading to unauthorized access
Actions #11

Updated by Vincent MEMBRÉ over 6 years ago

  • Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
Actions #12

Updated by Rudder Quality Assistant over 6 years ago

  • Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ
Actions #13

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending technical review to Pending release

Applied in changeset commit:655d3e2e523ce4155244afb53e876d3646a35b17.

Actions #14

Updated by Vincent MEMBRÉ over 6 years ago

Applied in changeset commit:65ac84dbbbef625a4e1d214068346e4050245e61.

Actions #15

Updated by Vincent MEMBRÉ over 6 years ago

  • Status changed from Pending release to Released
  • Priority changed from 108 to 107

This bug has been fixed in Rudder 4.1.13, 4.2.7 and 4.3.3 which were released today.

Actions #16

Updated by Alexis Mousset over 2 years ago

  • Project changed from 41 to Rudder
  • Category changed from Technique editor - API to Web - Technique editor
  • Priority changed from 107 to 0
Actions

Also available in: Atom PDF