Actions
Bug #15104
closed
A user with read only access can modify global parameters
Pull Request:
Severity:
Critical - prevents main use of Rudder | no workaround | data loss | security
UX impact:
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Very Small
Priority:
0
Name check:
Reviewed
Fix check:
Error - Fixed
Regression:
Description
This is a security issue
Is seems that the user can also modify techniques in the editor.
Found in 5.0.11
Files
Updated by Nicolas CHARLES almost 5 years ago
- Target version set to 5.0.13
- Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
- Effort required set to Small
Updated by Vincent MEMBRÉ over 4 years ago
- Target version changed from 5.0.13 to 5.0.14
Updated by François ARMAND over 4 years ago
- User visibility set to Operational - other Techniques | Rudder settings | Plugins
- Effort required changed from Small to Very Small
- Priority changed from 0 to 101
Updated by François ARMAND over 4 years ago
- File 2019-09-16_16.01.23-Rudder_-_Management.png 2019-09-16_16.01.23-Rudder_-_Management.png added
- Subject changed from A user with read only access can change global audit mode to A user with read only access can global parameters
This is not the case anymore (see screenshot 1). It's also OK for technique editor: you access the UI in rw, but can't save change (not the best, but at least it's safe - see screenshot 2).
But as of 5.0.14, a read_only user can modify/create global parameters. Updating the text appropriatly.
Updated by François ARMAND over 4 years ago
- Assignee changed from Elaad FURREEDAN to François ARMAND
Updated by François ARMAND over 4 years ago
- Status changed from New to In progress
- Priority changed from 101 to 100
Updated by François ARMAND over 4 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from François ARMAND to Nicolas CHARLES
- Pull Request set to https://github.com/Normation/rudder/pull/2495
Updated by François ARMAND over 4 years ago
- Assignee changed from Nicolas CHARLES to Elaad FURREEDAN
Updated by François ARMAND over 4 years ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|abb32ff643395670ce7415db1874dce5204ed328.
Updated by Alexis Mousset over 4 years ago
- Name check changed from To do to Reviewed
Updated by François ARMAND over 4 years ago
- Fix check changed from To do to Error - Blocking
Updated by François ARMAND over 4 years ago
- Fix check changed from Error - Blocking to Error - Fixed
Updated by Vincent MEMBRÉ over 4 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 5.0.14 which was released today.
Updated by Alexis Mousset almost 4 years ago
- Subject changed from A user with read only access can global parameters to A user with read only access can modify global parameters
- Priority changed from 89 to 87
Updated by Alexis Mousset 8 months ago
- Private changed from Yes to No
- Priority changed from 87 to 0
Actions