New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reader user cannot edit their own information #4420

Closed
edmundoa opened this Issue Dec 13, 2017 · 1 comment

Comments

Projects
None yet
4 participants
@edmundoa
Member

edmundoa commented Dec 13, 2017

While testing a PR I tried to edit a reader user information and could not get to the edit page. I got redirected to the not found page and I saw an error saying:
There was an error fetching a resource: cannot GET http://localhost:9000/api/system/authentication/config (403). Additional information: Not authorized

Expected Behaviour

User should be able to see and edit their own information

Current Behavior

Getting to the user form loads a resource the user is not allowed to load and the user gets redirected to the not found page.

Steps to Reproduce (for bugs)

  1. Create reader user
  2. Go to the navigation bar -> name -> edit profile
  3. Get redirected to 404 page

Your Environment

  • Graylog Version: Graylog 3.0.0-SNAPSHOT (ca0746d). Graylog 2.4.0-beta.3-SNAPSHOT+846449b is not affected by this issue.

@edmundoa edmundoa added the bug label Dec 13, 2017

@edmundoa edmundoa changed the title from Reader user cannot edit its own information to Reader user cannot edit their own information Dec 13, 2017

@bernd bernd added this to the 3.0.0 milestone Dec 18, 2017

@mayrstefan

This comment has been minimized.

mayrstefan commented Jan 10, 2018

This issue also affects the 2.4.0 release (Graylog 2.4.0+2115a42)

@kroepke kroepke modified the milestones: 3.0.0, 2.4.1 Jan 17, 2018

@kroepke kroepke self-assigned this Jan 17, 2018

kroepke added a commit that referenced this issue Jan 17, 2018

filter authentication provider information by realm names
instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

@wafflebot wafflebot bot added the in progress label Jan 17, 2018

@bernd bernd closed this in #4488 Jan 18, 2018

bernd added a commit that referenced this issue Jan 18, 2018

Check auth realm access on instance level (#4488)
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

@wafflebot wafflebot bot removed the in progress label Jan 18, 2018

bernd added a commit that referenced this issue Jan 18, 2018

Check auth realm access on instance level (#4488)
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)

kroepke added a commit that referenced this issue Jan 19, 2018

Check auth realm access on instance level (#4488) (#4494)
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment