Project

General

Profile

Actions
Copy link

Bug #24787

open

Some group endpoints list node ids outside of restricted tenant access

Added by Clark ANDRIANASOLO 10 days ago. Updated 6 days ago.

Status:
New
Priority:
N/A
Assignee:
Clark ANDRIANASOLO
Category:
API
Target version:
8.1.3
Pull Request:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Medium
Priority:
40
Name check:
To do
Fix check:
To do
Regression:
No

Description

When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.

Is has been fixed for /groups/{groupId} in #24708, but still relevant for some GET endpoints :
  • /groups : list of all groups
  • /groups/tree : tree of all groups

We should also check all calls when we obtain a FullNodeGroupCategory

The endpoints should not leak node ids outside of a user's tenants

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant accessReleasedFrançois ARMANDActions
Actions
Copy link
 #1

Updated by Clark ANDRIANASOLO 10 days ago

  • Related to Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant access added
Actions
Copy link
 #2

Updated by Vincent MEMBRÉ 6 days ago

  • Target version changed from 8.1.2 to 8.1.3
Actions
Copy link

Also available in: Atom PDF