Actions
Bug #24787
openSome group endpoints list node ids outside of restricted tenant access
Pull Request:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Medium
Priority:
37
Name check:
To do
Fix check:
To do
Regression:
No
Description
When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.
Is has been fixed for/groups/{groupId}
in #24708, but still relevant for some GET endpoints :
/groups
: list of all groups/groups/tree
: tree of all groups
We should also check all calls when we obtain a FullNodeGroupCategory
The endpoints should not leak node ids outside of a user's tenants
Updated by Clark ANDRIANASOLO 6 months ago
- Related to Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant access added
Updated by Vincent MEMBRÉ 6 months ago
- Target version changed from 8.1.2 to 8.1.3
Updated by Vincent MEMBRÉ 5 months ago
- Target version changed from 8.1.3 to 8.1.4
- Priority changed from 40 to 39
Updated by Vincent MEMBRÉ 5 months ago
- Target version changed from 8.1.4 to 8.1.5
Updated by Vincent MEMBRÉ 4 months ago
- Target version changed from 8.1.5 to 8.1.6
Updated by Vincent MEMBRÉ 3 months ago
- Target version changed from 8.1.6 to 8.1.7
- Priority changed from 39 to 38
Updated by Vincent MEMBRÉ about 2 months ago
- Target version changed from 8.1.7 to 8.1.8
- Priority changed from 38 to 37
Actions