Project

General

Profile

Actions

Bug #5875

closed

It should not be possible to delete system directives

Added by Jonathan CLARKE over 9 years ago. Updated over 9 years ago.

Status:
Released
Priority:
2
Category:
Web - Config management
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
Name check:
Fix check:
Regression:

Description

I just managed to delete some system Directives:

This was possible via the Node details screen, in the reports section where all Rules and Directives have an "Edit" icon:

By clicking on this Edit icon, I could delete Directives (but not Rules). I found this in Rudder 3.0 and 2.11 via the Edit icon, but I was also able to do this on Rudder 2.10 by accessing this URL directly: https://rudder-server-name/rudder/secure/configurationManager/directiveManagement#{"directiveId":"inventory-all"}.

I suspect this is actually two bugs:
  1. We should not be able to delete system directives (at the internal API level)
  2. We should not display edit links on any system directives or rules

Since this allows to delete system Directives this is quite a bad bug. However, I don't see that is has security implications, since we can only delete existing Directives, and even then only ones that keep Rudder running, and only as an admin user.


Files

2.png (9.94 KB) 2.png Jonathan CLARKE, 2014-11-29 14:50
3.png (10.5 KB) 3.png Jonathan CLARKE, 2014-11-29 14:50

Related issues 3 (0 open3 closed)

Related to Rudder - Bug #5916: Remove edit link for system directive/rulesReleasedFrançois ARMAND2014-12-04Actions
Related to Rudder - Bug #5915: Error message when trying to delete a system directive is horribleReleasedFrançois ARMAND2014-12-04Actions
Related to Rudder - Bug #5923: System rule are modified when trying to delete a directiveReleasedNicolas CHARLES2014-12-04Actions
Actions

Also available in: Atom PDF