Bug #26602
open
User with "compliance" perm get error on group, directive pages
Description
When using a user with the "compliance" permission and only that one, when we get on a group detail, we have two errors regarding server error.
The same kind of error happens on directive, and rule, node (see screenshots).
=> only the compliance tab of nodes, rules, directives, groups should be accessible for a user with only compliance perm.
Plus that permission profile has access to techniques and global properties : he should not.
Seen in 8.3, but the behavior is likely also incorrect in 8.2.
It happens also on the node details
and the rules page
Files
Updated by Nicolas CHARLES 5 days ago
- File clipboard-202503241424-ml8rx.png clipboard-202503241424-ml8rx.png added
- Description updated (diff)
Updated by Nicolas CHARLES 5 days ago
- File clipboard-202503241425-irwu9.png clipboard-202503241425-irwu9.png added
- Description updated (diff)
Updated by Nicolas CHARLES 5 days ago
Log say
2025-03-24 13:26:24+0000 INFO api-processing.response-error - "Authorization error: User 'dev' is not allowed to access GET secure/api/user/api/token/status"
2025-03-24 13:26:26+0000 WARN api-processing - User 'dev' is not authorized to access API 'writeFileResource
2025-03-24 13:26:26+0000 INFO api-processing.response-error - "User 'dev' is not authorized to access API 'writeFileResource"
2025-03-24 13:26:26+0000 WARN api-processing - Authorization error for 'GET secure/api/user/api/token/status': User 'dev' is not allowed to access GET secure/api/user/api/token/status
2025-03-24 13:26:26+0000 INFO api-processing.response-error - "Authorization error: User 'dev' is not allowed to access GET secure/api/user/api/token/status"
2025-03-24 13:26:30+0000 WARN api-processing - Authorization error for 'GET secure/api/settings/global_policy_mode': User 'dev' is not allowed to access GET secure/api/settings/{key}
Updated by François ARMAND 5 days ago
- Status changed from New to In progress
- Assignee set to François ARMAND
Updated by François ARMAND 5 days ago
- Subject changed from Error when Getting Policy Mode, details: The server had a problem, try again later to User with "compliance" perm get error on group, directive pages
- Description updated (diff)
- Priority changed from N/A to 1 (highest)
- Target version changed from 8.3.0~beta2 to 8.2.6
Updated by François ARMAND 5 days ago
- Status changed from In progress to New
- Assignee changed from François ARMAND to Clark ANDRIANASOLO
Updated by François ARMAND 2 days ago
- Priority changed from 1 (highest) to N/A
- Target version changed from 8.2.6 to 8.3.0~beta2
Updated by Clark ANDRIANASOLO 1 day ago
- File clipboard-202503271530-ojrig.png clipboard-202503271530-ojrig.png added
- File clipboard-202503271530-ec7z7.png clipboard-202503271530-ec7z7.png added
- in 8.3 the bug is that the rights for the policy mode endpoints have changed (in #24872)
- there is another bug : the
Administrationmenu is present and redirects to a 404 page, whereas in 8.2 it has a sub-menu for the "Techniques tree"
In 8.2, we will need to decide if we need to remove the access to the global properties and techniques + the techniques tree, it does not seem to be trivial on 8.3 directly since we have new tab and menu structures
Updated by Clark ANDRIANASOLO 1 day ago
- Related to Architecture #24872: Rework api authorization models added
Updated by Clark ANDRIANASOLO 1 day ago
- Status changed from In progress to Pending technical review
- Assignee changed from Clark ANDRIANASOLO to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/6291
Updated by Clark ANDRIANASOLO 1 day ago
- Related to Bug #26642: Compliance right should not give access to techniques and global parameters added
Updated by Clark ANDRIANASOLO 1 day ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|ebcff5a064f6b9ee80e9b3621edd9c02b65390a5.