#528 ✓resolved
Greg Schueler

authorization for api call to system/info is not checked

Reported by Greg Schueler | February 23rd, 2012 @ 06:36 PM | in Rundeck 1.4.3 (closed)

  • Issue Type: Bug
  • Rundeck version: 1.4.2

Issue:

Making the api request for system info at /api/1/system/info does not properly check the authorization required. The authorization should require this aclpolicy declaration in the application context:

 resource:
    - equals:
        kind: system
      allow: [read] # allow read of system info

Reproduce:

Remove the authorization listed above for a user or api_token_group.

Request the /api/1/system/info endpoint.

The result is the system info data, which should not be allowed.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues

Shared Ticket Bins

People watching this ticket

Pages