Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nsqadmin: non admin user can delete the topic on a node #1390

Closed
guishoudaoge opened this issue Nov 29, 2021 · 4 comments · Fixed by #1462
Closed

nsqadmin: non admin user can delete the topic on a node #1390

guishoudaoge opened this issue Nov 29, 2021 · 4 comments · Fixed by #1462
Labels
bug help wanted

Comments

@guishoudaoge
Copy link

guishoudaoge commented Nov 29, 2021
edited

Hi Team

On the nsqadmin UI page, Non admin user can see the delete icon and delete the topic on a node successfully

tombstoneNodeForTopicHandler is not protected by isAuthorizedAdminRequest

Thanks
/Joe
@mreiferson mreiferson added the bug label Dec 4, 2021
@mreiferson
Copy link
Member

Yep, it also doesn't present a confirmation dialog.

@mreiferson mreiferson changed the title nsqadmin: Non admin user can delete the topic on a node nsqadmin: non admin user can delete the topic on a node Jan 16, 2022
@mreiferson mreiferson changed the title nsqadmin: non admin user can delete the topic on a node nsqadmin: non admin user can delete the topic on a node Jan 16, 2022
@SandroJijavadze
Copy link

If admin-user option is set on nsqadmin I can't see option to delete user with non-admin user.

@yai-dev
Copy link

yai-dev commented Dec 21, 2022

@mreiferson I cloned the latest master branch and tried to delete the topic and channel with the admin option enabled, the API responds FORBEDDEN, it looks like this bug has been fixed and this issue should be closed.

@mreiferson
Copy link
Member

@suenchunyu the request handler tombstoneNodeForTopicHandler is still missing the admin check, so it can't be fixed...

@dudleycarr dudleycarr mentioned this issue Sep 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

nsqadmin: add admin check for topic/node thombstone endpoint dudleycarr/nsq
4 participants
@mreiferson @guishoudaoge @yai-dev @SandroJijavadze