Bug #26952
open
User with only “Inventory” rights has a notification error when changing tab
Description
A ˘toto" user, created with only “Inventory” rights can access a lot more :
- System updates
- Nodes properties
- Node technical logs (that may show sensitive information)
Plus clicking on many tabs produce an error message :
Error Error when Getting node compliance, details: Unknown error
Even though some content gets displayed
Files
| User_toto_250522a.png (49.6 KB) User_toto_250522a.png | Toto only has inventory rights | ||
| User_inventory_access_250522a_updates.png (211 KB) User_inventory_access_250522a_updates.png | Toto can see system updates | ||
| User_inventory_access_250522b_properties.png (189 KB) User_inventory_access_250522b_properties.png | Toto can see nodes properties | ||
| User_inventory_access_250522c_tech_logs.png (263 KB) User_inventory_access_250522c_tech_logs.png | Toto can see technical logs | ||
| User_inventory_access_250522d_error.png (8.2 KB) User_inventory_access_250522d_error.png | Error message often displayed | ||
| clipboard-202506051548-ddp9w.png (96 KB) clipboard-202506051548-ddp9w.png | |||
| clipboard-202506051548-7hy8k.png (96 KB) clipboard-202506051548-7hy8k.png |
Updated by Vincent MEMBRÉ about 1 month ago
- Target version changed from 8.3.2 to 8.3.3
Updated by François ARMAND about 1 month ago
- Assignee set to Clark ANDRIANASOLO
- Priority changed from To review to 1 (highest)
- Severity changed from Major - prevents use of part of Rudder | no simple workaround to Critical - prevents main use of Rudder | no workaround | data loss | security
It's OK that inventory role gives access to node information, so OK for list of package (system update) and node properties.
It should not give access to technical logs thought.
Plus correcting the access errors.
Updated by Clark ANDRIANASOLO about 1 month ago
- Related to Bug #27040: Inventory role allows to get system status logs and technical logs added
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from In progress to Pending technical review
- Pull Request set to https://github.com/Normation/rudder/pull/6431
Updated by Clark ANDRIANASOLO about 1 month ago
- File clipboard-202506051548-ddp9w.png clipboard-202506051548-ddp9w.png added
- File clipboard-202506051548-7hy8k.png clipboard-202506051548-7hy8k.png added
- Subject changed from User with only “Inventory” rights can access too much information to User with only “Inventory” rights has a notification error when changing tab
- Status changed from Pending technical review to New
- Pull Request deleted (
https://github.com/Normation/rudder/pull/6431)
Contrary to 8.2, the 8.3 disallows the inventory user to get the system compliance (and the compliance is attempted to be fetched on every tab change) :
The main problem is #27040 in 8.2, and the fix for this one in 8.3 should only be about the access
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from New to In progress
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from In progress to Pending technical review
- Pull Request set to https://github.com/Normation/rudder/pull/6433
Updated by Clark ANDRIANASOLO about 1 month ago
- Status changed from Pending technical review to Pending release
Applied in changeset rudder|c22e30b8d05a2dc1922f343b3c307fd0422d4ce1.
Updated by 
