Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid leakage of state.check_commandline to restricted users #784

Merged
merged 2 commits into from Jun 22, 2023
Merged

Avoid leakage of state.check_commandline to restricted users #784

merged 2 commits into from Jun 22, 2023

Conversation

raviks789
Copy link
Contributor

Users who do not have permission to see the object's Source tab, must be restricted from accessing the object's state.check_commandline column.

fixes ref/IP/44766

@raviks789 raviks789 added the bug Something isn't working label Jun 21, 2023
@raviks789 raviks789 requested a review from nilmerg June 21, 2023 07:36
@raviks789 raviks789 self-assigned this Jun 21, 2023
@cla-bot cla-bot bot added the cla/signed CLA is signed by all contributors of a PR label Jun 21, 2023
@raviks789 raviks789 force-pushed the fix/check-commandline-only-on-source-permission branch 5 times, most recently from 8d406dd to d3b3ebc Compare June 21, 2023 14:28
@nilmerg nilmerg force-pushed the fix/check-commandline-only-on-source-permission branch from d3b3ebc to 2093690 Compare June 22, 2023 09:26
nilmerg
nilmerg requested changes Jun 22, 2023
View reviewed changes
Copy link
Member

@nilmerg nilmerg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've removed the changes from createColumnControl. It's been VolatileStateResults which reapplied the commandline value read from redis.

library/Icingadb/Common/Auth.php Outdated Show resolved Hide resolved
library/Icingadb/Common/Auth.php Outdated Show resolved Hide resolved
raviks789 and others added 2 commits June 22, 2023 13:32
@raviks789
Avoid leakage of state.check_commandline to restricted users
a8f891f 
Users who do not have permission to see the object's `Source` tab, must be
restricted from accessing the object's `state.check_commandline` column.
@nilmerg @raviks789
VolatileStateResults: Don't reapply commandline values if not permitted
6f6defc
@raviks789 raviks789 force-pushed the fix/check-commandline-only-on-source-permission branch from 2093690 to 6f6defc Compare June 22, 2023 11:32
@raviks789 raviks789 requested a review from nilmerg June 22, 2023 11:34
@nilmerg nilmerg added this to the 1.1.0 milestone Jun 22, 2023
@nilmerg nilmerg merged commit 2c461b5 into master Jun 22, 2023
12 checks passed
@nilmerg nilmerg deleted the fix/check-commandline-only-on-source-permission branch June 22, 2023 12:49
@nilmerg nilmerg added the area/access-control Affects the authorization of users label Jun 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nilmerg nilmerg nilmerg approved these changes

Assignees

@raviks789 raviks789

Labels
area/access-control Affects the authorization of users bug Something isn't working cla/signed CLA is signed by all contributors of a PR
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@raviks789 @nilmerg