Actions
Bug #24787
open
Some group endpoints list node ids outside of restricted tenant access
Pull Request:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Medium
Priority:
39
Name check:
To do
Fix check:
To do
Regression:
No
Description
When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.
Is has been fixed for/groups/{groupId} in #24708, but still relevant for some GET endpoints :
/groups: list of all groups/groups/tree: tree of all groups
We should also check all calls when we obtain a FullNodeGroupCategory
The endpoints should not leak node ids outside of a user's tenants
Updated by Clark ANDRIANASOLO 3 months ago
- Related to Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant access added
Updated by Vincent MEMBRÉ 3 months ago
- Target version changed from 8.1.2 to 8.1.3
Updated by Vincent MEMBRÉ about 2 months ago
- Target version changed from 8.1.3 to 8.1.4
- Priority changed from 40 to 39
Updated by Vincent MEMBRÉ about 1 month ago
- Target version changed from 8.1.4 to 8.1.5
Updated by Vincent MEMBRÉ 26 days ago
- Target version changed from 8.1.5 to 8.1.6
Actions