-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
User has access to JOBS he has not run #3476
Comments
This is currently intentional behavior; it would be a significant user-facing change at this point, and therefore would be treated/scheduled as n enhancement. |
USE permission -> execute permission |
The point is that this is information leakage. As a Security Auditor, I would make a point on this. |
I could possibly imagine adding an auditor_role for job templates, although this would significantly complicate the querysets. |
ISSUE TYPE
COMPONENT NAME
SUMMARY
When user has USE permission on job template, it sees all jobs and thus job logging, survey data, etc, from all other users having access to this job template as well. This is seen as information leakage. Auditors and security officers do not like this. Users should see job info only for jobs it has permission to see. This includes his own jobs, and, though some RBAC control(s) jobs from other users.
ENVIRONMENT
STEPS TO REPRODUCE
As user1, create a JT and give USE permission to user2 and user3
As user1, run the JT
As user2, run the JT
As user3, run the JT
As user3, look at jobs
EXPECTED RESULTS
As user1, I see only my own jobs
As user2, I see only my own jobs
As user3, I see only my own jobs
ACTUAL RESULTS
As userx, I see jobs from user1, user2 and user3
ADDITIONAL INFORMATION
Sometimes it would be usefull to see JOBS on JT ran by another user/team. No recommendation on how RBAC should be set up to allow that.
Files as a bug and not as a feature request on purpose.
The text was updated successfully, but these errors were encountered: