authorization for api call to system/info is not checked
Reported by Greg Schueler | February 23rd, 2012 @ 06:36 PM | in Rundeck 1.4.3 (closed)
- Issue Type: Bug
- Rundeck version: 1.4.2
Issue:
Making the api request for system info at
/api/1/system/info does not properly check the
authorization required. The authorization should require this
aclpolicy declaration in the application context:
resource:
- equals:
kind: system
allow: [read] # allow read of system info
Reproduce:
Remove the authorization listed above for a user or api_token_group.
Request the /api/1/system/info endpoint.
The result is the system info data, which should not be allowed.
Comments and changes to this ticket
-
Greg Schueler April 30th, 2012 @ 06:34 PM
- State changed from “new” to “needs_verification”
- Milestone order changed from “8” to “0”
(from [55be65d61ae55496740401b4896f85ff0b55ca47]) Add proper auth check for api/system/info
[#528 state:needs_verification] https://github.com/dtolabs/rundeck/commit/55be65d61ae55496740401b48...
-
Greg Schueler May 17th, 2012 @ 11:22 AM
- State changed from “needs_verification” to “resolved”
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
(DEPRECATED) Please use github issues for issue tracking at http://github.com/dtolabs/rundeck/issues
Greg Schueler