User has access to JOBS he has not run #3476
Labels
Comments
wenottingham
added
component:api
state:needs_devel
type:enhancement
and removed
component:ui
state:needs_triage
type:bug
labels
|
This is currently intentional behavior; it would be a significant user-facing change at this point, and therefore would be treated/scheduled as n enhancement. |
USE permission -> execute permission |
|
The point is that this is information leakage. As a Security Auditor, I would make a point on this. |
|
I could possibly imagine adding an auditor_role for job templates, although this would significantly complicate the querysets. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ISSUE TYPE
COMPONENT NAME
SUMMARY
When user has USE permission on job template, it sees all jobs and thus job logging, survey data, etc, from all other users having access to this job template as well. This is seen as information leakage. Auditors and security officers do not like this. Users should see job info only for jobs it has permission to see. This includes his own jobs, and, though some RBAC control(s) jobs from other users.
ENVIRONMENT
STEPS TO REPRODUCE
As user1, create a JT and give USE permission to user2 and user3
As user1, run the JT
As user2, run the JT
As user3, run the JT
As user3, look at jobs
EXPECTED RESULTS
As user1, I see only my own jobs
As user2, I see only my own jobs
As user3, I see only my own jobs
ACTUAL RESULTS
As userx, I see jobs from user1, user2 and user3
ADDITIONAL INFORMATION
Sometimes it would be usefull to see JOBS on JT ran by another user/team. No recommendation on how RBAC should be set up to allow that.
Files as a bug and not as a feature request on purpose.
The text was updated successfully, but these errors were encountered: