Issue #8018: viewsets that are not guarded by rbac allow any user known to the system - Pulp

Send by e-mail

Issue #8018

viewsets that are not guarded by rbac allow any user known to the system

Added by mdellweg 2 months ago. Updated 27 days ago.

Status:

CLOSED - CURRENTRELEASE

Priority:

Normal

Assignee:

mdellweg

Category:

Sprint/Milestone:

3.10.0

Start date:

Due date:

Estimated time:

Severity:

2. Medium

Version:

Platform Release:

OS:

Triaged:

Yes

Groomed:

Sprint Candidate:

Tags:

Sprint:

Sprint 88

Quarter:

Description

As discussed on the mailinglist, it seems to be better to restrict access to all endpoints not explicitly guarded by rbac to users with the is_staff flag, aka admins.

Associated revisions

Revision 6e8f2c93 View on GitHub
Added by mdellweg about 1 month ago

Restrict default permissions to admin users

fixes #8018 https://pulp.plan.io/issues/8018

History

#1 Updated by pulpbot 2 months ago

Status changed from ASSIGNED to POST

PR: https://github.com/pulp/pulpcore/pull/1064

#2 Updated by dkliban@redhat.com about 2 months ago

Triaged changed from No to Yes
Sprint set to Sprint 88

#3 Updated by ttereshc about 1 month ago

Sprint/Milestone set to 3.10.0

#4 Updated by mdellweg about 1 month ago

Status changed from POST to MODIFIED

Applied in changeset pulpcore|6e8f2c9377095fb01a069858daa37c5217fbbdf8.

#5 Updated by pulpbot 27 days ago

Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Please register to edit this issue

Send by e-mail

Also available in: Atom PDF

Project

Profile

Help

Pulp

Issues

Agile boards

Custom queries