Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tenant common variables permission problem #4555

Closed
mayuanyang opened this issue May 14, 2018 · 2 comments
Closed

Tenant common variables permission problem #4555

mayuanyang opened this issue May 14, 2018 · 2 comments
Assignees
@mayuanyang
Labels
kind/bug This issue represents a verified problem we are committed to solving tag/permissions
Milestone
2018.5.2

Comments

@mayuanyang
Copy link

mayuanyang commented May 14, 2018
edited by pawelpabich
Loading

History

Previously VariableEdit permission were not checked when editing tenant variable, this was fixed in version 2018.4.6, here is the related issue #4474

Problem

If the team the user belongs to scoped to Project, Environment or Project Group, user loses the ability modify the Common Variables of a tenant.

Why

A tenant can have 2 types of variables, Project Variables and Common Variables.

  • Project Variables only affect the current editing project and environment
  • Common Variables affect all projects and environments that the tenant connected to, so any changes to the Common Variables will affect projects and environment even the user is not scoped to, this open a security hole. (Note: we fixed this problem in 2018.4.7)

Proposed Solution

We could compare the scopes of the team to all the projects and environments that the tenant connected to. Modification to a Common Variable should be allowed when all of its projects and environments are within the team scopes.

Case 1

Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow

Case 2

Team scope: Projects-1, Environments-1
Tenant connection: Projects-1, Projects-2, Environments-1
Common variable modification: Deny, as Projects-2 is not in scope

Case 3

Team scope: Projects-1
Tenant connection: Projects-1, Environments-1, Environments-2
Common variable modification: Allow

Case 4

Team scope: Environments-1
Tenant connection: Projects-1, Environments-1
Common variable modification: Allow

Case 5

Team scope: Environments-1
Tenant connection: Projects-1, Environments-2
Common variable modification: Deny, Environments-2 is not in scope

Problem

The cases listed above can prevent user from editing a common variable if a new project or environment is connected to the tenant, but another user with enough permission could connect the tenant to another project and environment which implicitly inherited the variable value from the previous setting which was setup by an user who do not have permission to the new project or environment
@pawelpabich pawelpabich added kind/bug This issue represents a verified problem we are committed to solving tag/permissions labels May 14, 2018
@mayuanyang mayuanyang added this to the 2018.5.2 milestone May 17, 2018
@mayuanyang
Copy link
Author

Release Note: Users can now modify tenant Common Variables if they have access to all projects and/or all environments this tenant is connected to with VariableEdit permission.

@lock
Copy link

lock bot commented Nov 23, 2018

This thread has been automatically locked since there has not been any recent activity after it was closed. If you think you've found a related issue, please contact our support team so we can triage your issue, and make sure it's handled appropriately.

@lock lock bot locked as resolved and limited conversation to collaborators Nov 23, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mayuanyang mayuanyang

Labels
kind/bug This issue represents a verified problem we are committed to solving tag/permissions
Projects
None yet
Milestone
2018.5.2
Development

No branches or pull requests
2 participants
@pawelpabich @mayuanyang