Bug #24787: Some group endpoints list node ids outside of restricted tenant access - Rudder - Issue Tracker

Actions

Copy link

Bug #24787

open

Some group endpoints list node ids outside of restricted tenant access

Added by Clark ANDRIANASOLO 7 months ago. Updated 14 days ago.

Status:

New

Priority:

N/A

Assignee:

Clark ANDRIANASOLO

Category:

API

Target version:

8.1.9

Pull Request:

Severity:

Minor - inconvenience | misleading | easy workaround

UX impact:

I dislike using that feature

User visibility:

Operational - other Techniques | Rudder settings | Plugins

Effort required:

Medium

Priority:

Name check:

To do

Fix check:

To do

Regression:

Description

When using the API token of a user with restricted tenant access, the groups API still return all node ids even outside its tenant.

Is has been fixed for /groups/{groupId} in #24708, but still relevant for some GET endpoints :

/groups : list of all groups
/groups/tree : tree of all groups

We should also check all calls when we obtain a FullNodeGroupCategory

The endpoints should not leak node ids outside of a user's tenants

Related issues 1 (0 open — 1 closed)

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Rudder

Custom queries

Bug #24787

Some group endpoints list node ids outside of restricted tenant access

Updated by Clark ANDRIANASOLO 7 months ago

Updated by Vincent MEMBRÉ 7 months ago

Updated by Vincent MEMBRÉ 6 months ago

Updated by Vincent MEMBRÉ 5 months ago

Updated by Vincent MEMBRÉ 5 months ago

Updated by Vincent MEMBRÉ 4 months ago

Updated by Vincent MEMBRÉ 2 months ago

Updated by Vincent MEMBRÉ 14 days ago