New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Requires user to be authenticated to retrieve plugin list. #4868

Merged
merged 1 commit into from Jun 28, 2018

Conversation

Projects
None yet
2 participants
@dennisoelkers
Member

dennisoelkers commented Jun 26, 2018

Description

Motivation and Context

Before this change, the SystemPluginResource which returns the list of
installed plugins for this node, did not require any authentication at
all. This might lead to unnecessary disclosure of harmful information
and should be avoided.

Therefore this change adds the annotation which requires the caller of
the SystemPluginResource to be authenticated. If this is not
sufficient, a further check for a permission can be introduced.

Fixes #4863.

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
Requires user to be authenticated to retrieve plugin list.
Before this change, the `SystemPluginResource` which returns the list of
installed plugins for this node, did not require any authentication at
all. This might lead to unnecessary disclosure of harmful information
and should be avoided.

Therefore this change adds the annotation which requires the caller of
the `SystemPluginResource` to be authenticated. If this is not
sufficient, a further check for a permission can be introduced.

Fixes #4863.

@dennisoelkers dennisoelkers added this to the 3.0.0 milestone Jun 26, 2018

@bernd bernd self-assigned this Jun 27, 2018

@bernd

bernd approved these changes Jun 28, 2018

@bernd bernd merged commit 267be4a into master Jun 28, 2018

4 of 5 checks passed

ci-web-linter Jenkins build graylog-pr-linter-check 2560 has failed
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
graylog-project/pr Jenkins build graylog-project-pr-snapshot 1481 has succeeded
Details
license/cla Contributor License Agreement is signed.
Details

@bernd bernd deleted the issue-4863 branch Jun 28, 2018

bernd added a commit that referenced this pull request Jun 28, 2018

Requires user to be authenticated to retrieve plugin list. (#4868)
Before this change, the `SystemPluginResource` which returns the list of
installed plugins for this node, did not require any authentication at
all. This might lead to unnecessary disclosure of harmful information
and should be avoided.

Therefore this change adds the annotation which requires the caller of
the `SystemPluginResource` to be authenticated. If this is not
sufficient, a further check for a permission can be introduced.

Fixes #4863.

(cherry picked from commit 267be4a)

dennisoelkers added a commit that referenced this pull request Jun 28, 2018

Requires user to be authenticated to retrieve plugin list. (#4868) (#…
…4875)

Before this change, the `SystemPluginResource` which returns the list of
installed plugins for this node, did not require any authentication at
all. This might lead to unnecessary disclosure of harmful information
and should be avoided.

Therefore this change adds the annotation which requires the caller of
the `SystemPluginResource` to be authenticated. If this is not
sufficient, a further check for a permission can be introduced.

Fixes #4863.

(cherry picked from commit 267be4a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment