Project

General

Profile

Actions

Bug #15104

closed

A user with read only access can modify global parameters

Added by Benoît PECCATTE over 5 years ago. Updated over 1 year ago.

Status:
Released
Priority:
N/A
Category:
Security
Target version:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
0
Name check:
Reviewed
Fix check:
Error - Fixed
Regression:

Description

This is a security issue

Is seems that the user can also modify techniques in the editor.

Found in 5.0.11


Files


Subtasks 1 (0 open1 closed)

Bug #15904: "add global param" button still available for read-only roleReleasedNicolas CHARLESActions
Actions #1

Updated by Nicolas CHARLES over 5 years ago

  • Target version set to 5.0.13
  • Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
  • Effort required set to Small
Actions #2

Updated by Vincent MEMBRÉ over 5 years ago

  • Target version changed from 5.0.13 to 5.0.14
Actions #3

Updated by François ARMAND over 5 years ago

  • User visibility set to Operational - other Techniques | Rudder settings | Plugins
  • Effort required changed from Small to Very Small
  • Priority changed from 0 to 101
Actions #4

Updated by François ARMAND over 5 years ago

This is not the case anymore (see screenshot 1). It's also OK for technique editor: you access the UI in rw, but can't save change (not the best, but at least it's safe - see screenshot 2).

But as of 5.0.14, a read_only user can modify/create global parameters. Updating the text appropriatly.

Actions #5

Updated by François ARMAND about 5 years ago

  • Assignee set to Elaad FURREEDAN
Actions #6

Updated by François ARMAND about 5 years ago

  • Assignee changed from Elaad FURREEDAN to François ARMAND
Actions #7

Updated by François ARMAND about 5 years ago

  • Status changed from New to In progress
  • Priority changed from 101 to 100
Actions #8

Updated by François ARMAND about 5 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from François ARMAND to Nicolas CHARLES
  • Pull Request set to https://github.com/Normation/rudder/pull/2495
Actions #9

Updated by François ARMAND about 5 years ago

  • Assignee changed from Nicolas CHARLES to Elaad FURREEDAN
Actions #10

Updated by François ARMAND about 5 years ago

  • Status changed from Pending technical review to Pending release
Actions #11

Updated by Vincent MEMBRÉ about 5 years ago

  • Fix check set to To do
Actions #12

Updated by Vincent MEMBRÉ about 5 years ago

  • Name check set to To do
Actions #13

Updated by Alexis Mousset about 5 years ago

  • Name check changed from To do to Reviewed
Actions #14

Updated by François ARMAND about 5 years ago

  • Fix check changed from To do to Error - Blocking
Actions #15

Updated by François ARMAND about 5 years ago

  • Fix check changed from Error - Blocking to Error - Fixed
Actions #16

Updated by Vincent MEMBRÉ about 5 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 5.0.14 which was released today.

Actions #17

Updated by Alexis Mousset over 4 years ago

  • Priority changed from 100 to 89
Actions #18

Updated by Alexis Mousset over 4 years ago

  • Subject changed from A user with read only access can global parameters to A user with read only access can modify global parameters
  • Priority changed from 89 to 87
Actions #19

Updated by Alexis Mousset over 1 year ago

  • Private changed from Yes to No
  • Priority changed from 87 to 0
Actions

Also available in: Atom PDF