Bug #9133
closed
Quicksearch does not enforce user authorizations
Description
An inventory users gets, for example, access to all directive parameters through the quicksearch.
Updated by François ARMAND about 8 years ago
Can someone list the expected roles with limitations (and the limitations ?)
Updated by Vincent MEMBRÉ about 8 years ago
Right list is :
"node", "group", "deployment", "administration", "configuration", "rule", "technique", "directive", "validator", "deployer"
I guess we can only keep
"node", "group", "rule", "directive"
Maybe 'configuration' can be added (it always define 'rule' and 'directive' access)
But the mapping is clear for almost, and "parameters" should be accessed if Directive read rights are granted
Updated by Vincent MEMBRÉ about 8 years ago
- Status changed from New to In progress
- Assignee set to Vincent MEMBRÉ
Updated by François ARMAND about 8 years ago
OK, so let say:
- "configuration" gives rules, techniques, directives, parameters,
- "rule" gives access to rules,
- "directive" gives access to techniques, directives, parameters,
- "group" to groups,
- "node" to nodes
Updated by Vincent MEMBRÉ about 8 years ago
- Status changed from In progress to Pending technical review
- Assignee changed from Vincent MEMBRÉ to François ARMAND
- Pull Request set to https://github.com/Normation/rudder/pull/1209
Updated by Vincent MEMBRÉ about 8 years ago
- Status changed from Pending technical review to Pending release
- % Done changed from 0 to 100
Applied in changeset rudder|3789530f0eaedd2a7cae90b9d0b6ba01e892d3fa.
Updated by Vincent MEMBRÉ about 8 years ago
- Status changed from Pending release to Released
This bug has been fixed in Rudder 3.1.15/14 and 3.2.8/7 which were released today.
- 3.1: Announce Changelog
- 3.2: Announce Changelog
- Download: https://www.rudder-project.org/site/get-rudder/downloads/
Updated by Vincent MEMBRÉ over 5 years ago
- Private changed from Yes to No
- Priority set to 0