Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reader user cannot edit their own information #4420

Closed
edmundoa opened this issue Dec 13, 2017 · 1 comment · Fixed by #4488
Closed

Reader user cannot edit their own information #4420

edmundoa opened this issue Dec 13, 2017 · 1 comment · Fixed by #4488
Assignees
@bernd @kroepke
Labels
blocker If not finished by release date, the release will be postponed. bug triaged
Milestone
2.4.1

Comments

@edmundoa
Copy link
Contributor

While testing a PR I tried to edit a reader user information and could not get to the edit page. I got redirected to the not found page and I saw an error saying:
There was an error fetching a resource: cannot GET http://localhost:9000/api/system/authentication/config (403). Additional information: Not authorized

Expected Behaviour

User should be able to see and edit their own information

Current Behavior

Getting to the user form loads a resource the user is not allowed to load and the user gets redirected to the not found page.

Steps to Reproduce (for bugs)

  1. Create reader user
  2. Go to the navigation bar -> name -> edit profile
  3. Get redirected to 404 page

Your Environment

  • Graylog Version: Graylog 3.0.0-SNAPSHOT (ca0746d). Graylog 2.4.0-beta.3-SNAPSHOT+846449b is not affected by this issue.
@edmundoa edmundoa added the bug label Dec 13, 2017
@edmundoa edmundoa changed the title Reader user cannot edit its own information Reader user cannot edit their own information Dec 13, 2017
@bernd bernd added this to the 3.0.0 milestone Dec 18, 2017
@bernd bernd added blocker If not finished by release date, the release will be postponed. triaged labels Dec 18, 2017
@TenGbps TenGbps mentioned this issue Dec 28, 2017
Closed
@mayrstefan
Copy link
Contributor

This issue also affects the 2.4.0 release (Graylog 2.4.0+2115a42)

@kroepke kroepke modified the milestones: 3.0.0, 2.4.1 Jan 17, 2018
@kroepke kroepke self-assigned this Jan 17, 2018
kroepke added a commit that referenced this issue Jan 17, 2018
@kroepke
filter authentication provider information by realm names
e40e471 
instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420
@kroepke kroepke mentioned this issue Jan 17, 2018
Merged
@ghost ghost added the in progress label Jan 17, 2018
bernd pushed a commit that referenced this issue Jan 18, 2018
@kroepke @bernd
Check auth realm access on instance level (#4488)
5a4376d 
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420
@ghost ghost removed the in progress label Jan 18, 2018
bernd pushed a commit that referenced this issue Jan 18, 2018
@kroepke @bernd
Check auth realm access on instance level (#4488)
a2c558c 
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)
@bernd bernd mentioned this issue Jan 18, 2018
Merged
@ghost ghost assigned bernd Jan 18, 2018
kroepke pushed a commit that referenced this issue Jan 19, 2018
@bernd @kroepke
Check auth realm access on instance level (#4488) (#4494)
00f3079 
* include authentication permissions in meta resource

fixes #4442

* filter authentication provider information by realm names

instead of requiring a global permission, apply the permission check to each
realm to be returned.
this makes it possible to assign more finely grained access, but more importantly
allows the call to succeed even if the user cannot see any realm configuration
in that case the set is merely empty, but it is not a permission violation

this allows users to edit their own profile again

fixes #4420

(cherry picked from commit 5a4376d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bernd bernd

@kroepke kroepke

Labels
blocker If not finished by release date, the release will be postponed. bug triaged
Projects
None yet
Milestone
2.4.1
Development

Successfully merging a pull request may close this issue.

Check auth realm access on instance level Graylog2/graylog2-server
4 participants
@bernd @kroepke @edmundoa @mayrstefan