New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #19612 - CVE-2017-7505 don't expose admin to taxed users #4545
Conversation
|
@ares Didn't dive much into it but looks like failing tests are related. |
|
Sadly, we relied on this behavior in some tests and code (notification recipients, authentication when login is disabled). All should be fixed now. |
| subscribers = subscriber_ids | ||
| notification_recipients.build subscribers.map{|id| { :user_id => id}} | ||
| subscribers = User.unscoped.where(:id => subscriber_ids) | ||
| notification_recipients.build subscribers.map{|user| { :user => user}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for reviewer (and myself): If we used :user_id, rails later tried to load the association when it validates presence of user but it respects the default scope defined by taxonomix, therefore it couldn't find the user and silently failed to save the built associated notification recipient. Searching for users like this should be more efficient, since it loads all of them in one query.
|
[test foreman] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, let's see that tests pass now.
|
I think https://github.com/Katello/katello/blob/master/test/katello_test_helper.rb#L91 needs to also be fixed for katello tests to run |
|
I was able to reproduce and test by:
If I remove the test user from all organizations, it still works fine and the test user cannot see the admin users. @ares |
|
@iNecas Do katello tests run without minitest/minitest#696 ? |
|
I don't see the relation of katello test failures to minitest/minitest#696 |
|
Thanks @dLobatog, katello tests should be fixed by Katello/katello#6800 I triggered tests of both at http://ci.theforeman.org/job/test_katello_pull_request/11873/ |
|
@ares looks like something didn't work on the manual test run, care to take a look? I don't want to merge this only to discover we broke katello somewhere. Other plugins may also need fixes. |
|
yeah, the jenkins params are not well documented, so I triggered it with wrong values, let's see if this will be better |
|
@ares I don't think that job got to run |
|
Katello PR was merged but this theforeman/foreman-tasks#252 should go in too before this is merged. Otherwise one katello task test will be broken. @iNecas confirmed they will merge and release new version soon (I expect it tomorrow) |
|
Both required PRs are merged, foreman-tasks are released. I think everything would be green now but Foreman tests seems to be broken. |
|
[test katello] |
|
I went through all Katello failures, all are instances of |
|
@ares No worries, I'm keeping track of these. Foreman tests seem fine. Thank you! |
No description provided.