Project

General

Profile

Actions

Bug #24787

open

Some group endpoints list node ids outside of restricted tenant access

Added by Clark ANDRIANASOLO about 2 months ago. Updated 18 days ago.

Status:
New
Priority:
N/A
Category:
API
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Medium
Priority:
39
Name check:
To do
Fix check:
To do
Regression:
No

Description

When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.

Is has been fixed for /groups/{groupId} in #24708, but still relevant for some GET endpoints :
  • /groups : list of all groups
  • /groups/tree : tree of all groups

We should also check all calls when we obtain a FullNodeGroupCategory

The endpoints should not leak node ids outside of a user's tenants


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant accessReleasedFrançois ARMANDActions
Actions #1

Updated by Clark ANDRIANASOLO about 2 months ago

  • Related to Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant access added
Actions #2

Updated by Vincent MEMBRÉ about 2 months ago

  • Target version changed from 8.1.2 to 8.1.3
Actions #3

Updated by Vincent MEMBRÉ 18 days ago

  • Target version changed from 8.1.3 to 8.1.4
  • Priority changed from 40 to 39
Actions

Also available in: Atom PDF