Issue #8018
viewsets that are not guarded by rbac allow any user known to the system
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 88
Quarter:
Description
As discussed on the mailinglist, it seems to be better to restrict access to all endpoints not explicitly guarded by rbac to users with the is_staff
flag, aka admins.
Associated revisions
History
#2
Updated by dkliban@redhat.com about 2 months ago
- Triaged changed from No to Yes
- Sprint set to Sprint 88
#3
Updated by ttereshc about 1 month ago
- Sprint/Milestone set to 3.10.0
#4
Updated by mdellweg about 1 month ago
- Status changed from POST to MODIFIED
Applied in changeset pulpcore|6e8f2c9377095fb01a069858daa37c5217fbbdf8.
Please register to edit this issue
Restrict default permissions to admin users
fixes #8018 https://pulp.plan.io/issues/8018