Bug #15104: A user with read only access can modify global parameters - Rudder - Issue Tracker

Custom queries

8.1 beta
Bugs triage
My TR
Need technical review
Open bugs (all)
Open bugs (UI - UX)
Open UX defects (all)
Opened by users

Actions

Copy link

Bug #15104

closed

A user with read only access can modify global parameters

Added by Benoît PECCATTE almost 5 years ago. Updated 9 months ago.

Status:

Released

Priority:

N/A

Assignee:

Elaad FURREEDAN

Category:

Security

Target version:

5.0.14

Pull Request:

https://github.com/Normation/rudder/p...

Severity:

Critical - prevents main use of Rudder | no workaround | data loss | security

UX impact:

User visibility:

Operational - other Techniques | Rudder settings | Plugins

Effort required:

Very Small

Priority:

Name check:

Reviewed

Fix check:

Error - Fixed

Regression:

Description

This is a security issue

Is seems that the user can also modify techniques in the editor.

Found in 5.0.11

Files

2019-09-16_16.01.23-Rudder_-_Management.png (34.2 KB) 2019-09-16_16.01.23-Rudder_-_Management.png

François ARMAND, 2019-09-16 16:01

Subtasks 1 (0 open — 1 closed)

Bug #15904: "add global param" button still available for read-only role

Released

Nicolas CHARLES

Actions

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Nicolas CHARLES almost 5 years ago

Target version set to 5.0.13
Severity set to Critical - prevents main use of Rudder | no workaround | data loss | security
Effort required set to Small

Actions

Copy link

Updated by Vincent MEMBRÉ over 4 years ago

Target version changed from 5.0.13 to 5.0.14

Actions

Copy link

Updated by François ARMAND over 4 years ago

User visibility set to Operational - other Techniques | Rudder settings | Plugins
Effort required changed from Small to Very Small
Priority changed from 0 to 101

Actions

Copy link

Updated by François ARMAND over 4 years ago

File 2019-09-16_16.01.23-Rudder_-_Management.png 2019-09-16_16.01.23-Rudder_-_Management.png added
Subject changed from A user with read only access can change global audit mode to A user with read only access can global parameters

This is not the case anymore (see screenshot 1). It's also OK for technique editor: you access the UI in rw, but can't save change (not the best, but at least it's safe - see screenshot 2).

But as of 5.0.14, a read_only user can modify/create global parameters. Updating the text appropriatly.

Actions

Copy link

Updated by François ARMAND over 4 years ago

Assignee set to Elaad FURREEDAN

Actions

Copy link

Updated by François ARMAND over 4 years ago

Assignee changed from Elaad FURREEDAN to François ARMAND

Actions

Copy link

Updated by François ARMAND over 4 years ago

Status changed from New to In progress
Priority changed from 101 to 100

Actions

Copy link

Updated by François ARMAND over 4 years ago

Status changed from In progress to Pending technical review
Assignee changed from François ARMAND to Nicolas CHARLES
Pull Request set to https://github.com/Normation/rudder/pull/2495

PR https://github.com/Normation/rudder/pull/2495

Actions

Copy link

Updated by François ARMAND over 4 years ago

Assignee changed from Nicolas CHARLES to Elaad FURREEDAN

Actions

Copy link

#10

Updated by François ARMAND over 4 years ago

Status changed from Pending technical review to Pending release

Applied in changeset rudder|abb32ff643395670ce7415db1874dce5204ed328.

Actions

Copy link

#11

Updated by Vincent MEMBRÉ over 4 years ago

Fix check set to To do

Actions

Copy link

#12

Updated by Vincent MEMBRÉ over 4 years ago

Name check set to To do

Actions

Copy link

#13

Updated by Alexis Mousset over 4 years ago

Name check changed from To do to Reviewed

Actions

Copy link

#14

Updated by François ARMAND over 4 years ago

Fix check changed from To do to Error - Blocking

Actions

Copy link

#15

Updated by François ARMAND over 4 years ago

Fix check changed from Error - Blocking to Error - Fixed

Actions

Copy link

#16

Updated by Vincent MEMBRÉ over 4 years ago

Status changed from Pending release to Released

This bug has been fixed in Rudder 5.0.14 which was released today.

5.0.14 changelog
Upgrade manual

Actions

Copy link

#17

Updated by Alexis Mousset almost 4 years ago

Priority changed from 100 to 89

Actions

Copy link

#18

Updated by Alexis Mousset almost 4 years ago

Subject changed from A user with read only access can global parameters to A user with read only access can modify global parameters
Priority changed from 89 to 87

Actions

Copy link

#19

Updated by Alexis Mousset 9 months ago

Private changed from Yes to No
Priority changed from 87 to 0

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #15104

A user with read only access can modify global parameters

Updated by Nicolas CHARLES almost 5 years ago

Updated by Vincent MEMBRÉ over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by Vincent MEMBRÉ over 4 years ago

Updated by Vincent MEMBRÉ over 4 years ago

Updated by Alexis Mousset over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by François ARMAND over 4 years ago

Updated by Vincent MEMBRÉ over 4 years ago

Updated by Alexis Mousset almost 4 years ago

Updated by Alexis Mousset almost 4 years ago

Updated by Alexis Mousset 9 months ago