New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hardening of the RBAC check #1581
Comments
|
@matthewd This might be relevant to your changes. |
|
This issue has been automatically marked as stale because it has not been updated for at least 6 months. If you can still reproduce this issue on the current release or on Thank you for all your contributions! |
|
@martinpovolny is this still a valid issue? If not, can you close it. |
|
@martinpovolny looks like this issue has been open for some time and is now stale. |
|
@miq_ bot move_issue ManageIQ/manageiq-ui-classic |
|
Yes, this is opened for some time and the problem is still there. Trying to move the issue to ui-classic. |
|
@miq-bot remove_label stale |
|
This issue has been automatically marked as stale because it has not been updated for at least 6 months. If you can still reproduce this issue on the current release or on Thank you for all your contributions! |
|
@miq-bot remove_label stale |
|
@miq-bot add_label pinned |
|
Closing as this has already been addressed by GHSA-46q7-rqqj-pxxj |
The current code in
app/controllers/application_controller.rbthat does RBAC checking is:Meaning that if we do not find particular RBAC feature, we just validate the existence of a route and let the request in.
The routes are whitelisted in the route file and effort was put into making sure that we have all the features defined.
Right now I don't see an exploit for this as there would have to be extra route for this to an action what does not have RBAC feature and check defined.
However for a developer it's easy to forget and expose something this way.
Therefor we shoud we should change the code to:
and fix or change whatever is needed to be done to make everything work as before from the user perspective.
The text was updated successfully, but these errors were encountered: