Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY ISSUE] Why can other people push my packages? #282

Closed
leigh123linux opened this issue Aug 21, 2015 · 6 comments
Closed

[SECURITY ISSUE] Why can other people push my packages? #282

leigh123linux opened this issue Aug 21, 2015 · 6 comments
Labels
API Issues related to Bodhi's REST API Critical We can't go on living in this sqalor, drop everything and fix it!

Comments

@leigh123linux
Copy link

The permissions seem buggered on the new bodhi

https://bodhi.fedoraproject.org/updates/tint2-0.12.2-1.fc22

thofmann pushed tint2 to testing (he has no perms for this action)

https://bodhi.fedoraproject.org/updates/tint2-0.12.2-1.fc22#comment-313306

In return I unpushed (I have no right or perms to do so).

https://bodhi.fedoraproject.org/updates/parcimonie.sh-0-0.4.20150804gitc009937.el7
@morxa
Copy link

morxa commented Aug 21, 2015

I confirm: I can push and revoke updates without having the right permissions, see https://lists.fedoraproject.org/pipermail/devel/2015-August/213639.html

@leigh123linux leigh123linux changed the title Why can other people push my packages? [SECURITY ISSUE] Why can other people push my packages? Aug 21, 2015
@ralphbean ralphbean added Critical We can't go on living in this sqalor, drop everything and fix it! API Issues related to Bodhi's REST API labels Aug 21, 2015
@ralphbean ralphbean mentioned this issue Aug 21, 2015
Merged
@lmacken
Copy link
Contributor

lmacken commented Aug 21, 2015

Fixed in production. Please re-open if you still experience this issue.

@morxa
Copy link

morxa commented Aug 22, 2015

There are still "Push to stable" buttons on updates where I should not have the permission to push anything, is this fixed on https://bodhi.fedoraproject.org/ ?

@leigh123linux
Copy link
Author

@morxa

I get permission denied if I try to use them on other users packages now.

@morxa
Copy link

morxa commented Aug 22, 2015

OK, same for me, I get permission denied. I just expected the button to be shown only if I have permissions to do the action.

@ralphbean ralphbean mentioned this issue Aug 22, 2015
Closed
4 tasks
@ralphbean
Copy link
Contributor

Hey team! The API service did in fact get fixed to deny people without rights in #292.

We do still need to update the template logic to not show the buttons if you don't have rights. I just filed that as a separate issue in #321, if you want to track it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API Issues related to Bodhi's REST API Critical We can't go on living in this sqalor, drop everything and fix it!
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@lmacken @ralphbean @leigh123linux @morxa