Can CreateRule in project without proper permission #4301
Labels
auth-team
anything that needs to be on the auth team board
automate-auth
bug 🐛
Something isn't working
customer-reported
issues reported by customers
emergent
Milestone
Describe the problem
Users can create rules on projects that they do not have
iam:projects:update
permissions on.Replication Case
In the automate ui,
Create a project with ID
no-perms
.Create a user who has no permissions on any projects.
Using that user's Bearer token (taken from the network tab), attempt to create a rule on that project.
curl -kH "Authorization: Bearer $BTOK" $TARGET_HOST/apis/iam/v2/projects/no-perms/rules -d "$(jq -n '{ id: "rule2", name: "my foo rule", type: "NODE", project_id: "foo-project", conditions: [{ operator: "EQUALS", attribute: "CHEF_SERVER", values: ["why am i allowed to doooo thissss"]}]}')" | jq .
See the call succeed.
Possible Solution
We need to check the projects in the CreateRule function:
automate/components/authz-service/storage/postgres/rule.go
Line 19 in b3ca377
like we do on UpdateRule:
automate/components/authz-service/storage/postgres/rule.go
Line 68 in b3ca377
The text was updated successfully, but these errors were encountered: