Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #8018

closed

viewsets that are not guarded by rbac allow any user known to the system

Added by mdellweg over 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
mdellweg
Category:
-
Sprint/Milestone:
3.10.0
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 88
Quarter:

Description

As discussed on the mailinglist, it seems to be better to restrict access to all endpoints not explicitly guarded by rbac to users with the is_staff flag, aka admins.

Actions
Copy link
 #1

Updated by pulpbot over 3 years ago

  • Status changed from ASSIGNED to POST
Actions
Copy link
 #2

Updated by dkliban@redhat.com over 3 years ago

  • Triaged changed from No to Yes
  • Sprint set to Sprint 88
Actions
Copy link
 #3

Updated by ttereshc over 3 years ago

  • Sprint/Milestone set to 3.10.0

Added by mdellweg over 3 years ago

Revision 6e8f2c93 | View on GitHub

Restrict default permissions to admin users

fixes #8018 https://pulp.plan.io/issues/8018

Actions
Copy link
 #4

Updated by mdellweg over 3 years ago

  • Status changed from POST to MODIFIED
Actions
Copy link
 #5

Updated by pulpbot about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Actions
Send by e-mail Copy link

Also available in: Atom PDF