Project

General

Profile

Actions

Bug #24787

open

Some group endpoints list node ids outside of restricted tenant access

Added by Clark ANDRIANASOLO 8 months ago. Updated 6 days ago.

Status:
New
Priority:
N/A
Category:
API
Target version:
Severity:
Minor - inconvenience | misleading | easy workaround
UX impact:
I dislike using that feature
User visibility:
Operational - other Techniques | Rudder settings | Plugins
Effort required:
Medium
Priority:
36
Name check:
To do
Fix check:
To do
Regression:
No

Description

When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.

Is has been fixed for /groups/{groupId} in #24708, but still relevant for some GET endpoints :
  • /groups : list of all groups
  • /groups/tree : tree of all groups

We should also check all calls when we obtain a FullNodeGroupCategory

The endpoints should not leak node ids outside of a user's tenants


Related issues 1 (0 open1 closed)

Related to Rudder - Bug #24708: Groups node ids list in API is still exhaustive even with restricted tenant accessReleasedFrançois ARMANDActions
Actions

Also available in: Atom PDF