Revision 293036df
Added by Daniel Lobato Garcia over 8 years ago
test/factories/user_related.rb | ||
---|---|---|
trait :architecture do
|
||
resource_type 'Architecture'
|
||
end
|
||
|
||
trait :report do
|
||
resource_type 'Report'
|
||
end
|
||
end
|
||
|
||
factory :role do
|
Also available in: Unified diff
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.