Fixed issue with downloading report #1827
Conversation
…d column in miq_report_result table to 'admin|2d7db0c5addb0eb91de3541c811ea02e|download' and this user does not belong to any group. Solution: Reverting back to previous logic. https://bugzilla.redhat.com/show_bug.cgi?id=1471014
|
Checked commit yrudman@9e3e8bc with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0 |
|
\cc @h-kataria @dclarizio |
|
looks good. |
Fixed issue with downloading report (cherry picked from commit 282755e) https://bugzilla.redhat.com/show_bug.cgi?id=1479994
|
Fine backport details: |
|
Euwe backport (to manageiq repo) details: |
|
@yrudman @h-kataria Same problem in Cloud Intel -> Dashboard -> FullScreen/Download PDF. On lines https://github.com/ManageIQ/manageiq-ui-classic/blob/master/app/controllers/application_controller.rb#L574 and https://github.com/ManageIQ/manageiq-ui-classic/blob/master/app/controllers/application_controller/report_downloads.rb#L54 . Not sure if it should be solved in the same way... because it was introduced by #1627 . |
Sorry, but this is wrong. It's very easy to get around such check. You cannot trust the browser/user/the Internet that an action will not be executed because the button is not there. This creates a security issue. This issue needs to be fixed differently. |
|
@simaishi : this should not get released |
|
See discussion from #1627 (comment) on. TLDR: we can probably find all the places which don't set |
|
@simaishi
Security check removed from temporary record. I agree, solution is not perfect (since something could go wrong in step 2 and temp record could become permanent) but not as bad as looks like, or I am missing something ? |
|
I think this particular fix is really not a security regression per se. The only problem with this fix is that it doesn't fix all the places, and fixing them the same way would be a security regression. So.. this is OK, but dangerous if anybody copies it. So... maybe let's focus on fixing it properly instead, so we can keep all the fixes the same? @yrudman What do you know about what report results should be actually visible to which user? Do you have any answer to my question here? - Should the report results really be visible to any member of the current group of the user who generated it? |
|
right, this fix can not be blindly copied. It looks like that different workflows related to reports should be treated differently.
EDIT: it looks like different record created for different group, look at record starting with |
|
Ah, there can be multiple groups in there? Any idea where that would come from? All I can see is that But .. in the screenshot, only the middle field is a group, so so far I'm not seeing any evidence of multiple groups being supported. |
Ah, so this mechanism is definitely insuficcient and will need at least a role support added, good to know :). I wonder if it makes more sense to fix that EDIT: actually, silly question, definitely need to add role id field if that is something we need to support. |
|
|
Yet I can see only one of those groups in that field.. So we're probably losing that data right now, right? (Or, keeping it in widget, but not in the report result.) |
|
we are not loosing it, |
Issue: Connecting as admin user and executing download will set userid column in
miq_report_resulttable to 'admin|2d7db0c5addb0eb91de3541c811ea02e|download'. As result record is not found forcurrent_user.https://bugzilla.redhat.com/show_bug.cgi?id=1471014
Solution: Do not check if
curent_usercan access data for downloading. We can remove this check since download button available only when specific report selected and visibility restriction was already applied to list of reports.BEFORE:
AFTER:
@miq-bot add-label bug, fine/yes, euwe/yes
\cc @gtanzillo