Bug #12720
closed
Technique Editor may ignores some error when authenticating, leading to unauthorized access
Added by Nicolas CHARLES almost 6 years ago.
Updated almost 2 years ago.
Category:
Web - Technique editor
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
User visibility:
Operational - other Techniques | Technique editor | Rudder settings
Description
A user in read-only can change techniques in the Technique Editor
User with role read_only can still update techniques
Note that the Technique Editor button is not present in this case in the Directive Tree
- Translation missing: en.field_tag_list set to Sponsored
- Priority changed from 76 to 108
- Target version changed from 4.3.2 to 4.1.13
- Status changed from New to In progress
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/rudder-packages/pull/1600
- Project changed from Rudder to 41
- Subject changed from Technique Editor does not comply to authorization to Technique Editor may ignores some error when authenticating
- Category changed from Security to Technique editor - API
- Status changed from Pending technical review to New
- Status changed from New to In progress
- Assignee changed from François ARMAND to Vincent MEMBRÉ
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
- Pull Request changed from https://github.com/Normation/rudder-packages/pull/1600 to https://github.com/Normation/ncf/pull/767
- Related to Bug #12747: apache overwrites error response from Rudder added
- Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ
- Subject changed from Technique Editor may ignores some error when authenticating to Technique Editor may ignores some error when authenticating, leading to unauthorized access
- Assignee changed from Vincent MEMBRÉ to Benoît PECCATTE
- Assignee changed from Benoît PECCATTE to Vincent MEMBRÉ
- Status changed from Pending technical review to Pending release
Applied in changeset commit:655d3e2e523ce4155244afb53e876d3646a35b17.
Applied in changeset commit:65ac84dbbbef625a4e1d214068346e4050245e61.
- Status changed from Pending release to Released
- Priority changed from 108 to 107
This bug has been fixed in Rudder 4.1.13, 4.2.7 and 4.3.3 which were released today.
- Project changed from 41 to Rudder
- Category changed from Technique editor - API to Web - Technique editor
- Priority changed from 107 to 0
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by