Revision 293036df
Added by Daniel Lobato Garcia over 8 years ago
test/functional/api/v2/reports_controller_test.rb | ||
---|---|---|
require 'test_helper'
|
||
require 'functional/shared/report_host_permissions_test'
|
||
|
||
class Api::V2::ReportsControllerTest < ActionController::TestCase
|
||
include ::ReportHostPermissionsTest
|
||
|
||
describe "Non Admin User" do
|
||
def setup
|
||
User.current = users(:one) #use an unpriviledged user, not apiadmin
|
||
User.current = users(:one) #use an unprivileged user, not apiadmin
|
||
end
|
||
|
||
def create_a_puppet_transaction_report
|
||
... | ... | |
get :last, {:host_id => host.to_param }
|
||
assert_response :not_found
|
||
end
|
||
|
||
test 'cannot view the last report without hosts view permission' do
|
||
setup_user('view', 'reports')
|
||
report = FactoryGirl.create(:report)
|
||
get :last, { :host_id => report.host.id }, set_session_user.merge(:user => User.current)
|
||
assert_response :not_found
|
||
end
|
||
end
|
Also available in: Unified diff
Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see if
the User is authorized to see the Host associated with the Report. In
case it's not, it returns 404, as to not give hints whether a Report
ID or Host ID are valid.
I followed the same approach on the API controllers. 'last' was not
vulnerable due to using my_reports which performs the necessary
check on 'view_hosts' permission.