However, I found that users that belong to an organization (i.e) are currently able to
see objects that are not assigned to any taxonomy. So user 'foo' in
organization 'bar' (just an example) can see:
Domains in organization 'bar' and suborganizations
Domains without any organization
I discussed it a bit on #theforeman-dev but there are opinions both for
and against letting users see 'untaxed' objects.
Any advice on this would be helpful, or if you're an user and you're
actively using objects without organizations as globally shared objects.
This is an important security issue that is holding off the release, so
please speak up if you think users should see 'untaxed objects', otherwise
this will go in.
However, I found that users that belong to an organization (i.e) are
currently able to
see objects that are not assigned to any taxonomy. So user ‘foo’ in
organization ‘bar’ (just an example) can see:
Domains in organization ‘bar’ and suborganizations
Domains without any organization
I discussed it a bit on #theforeman-dev but there are opinions both for
and against letting users see ‘untaxed’ objects.
Any advice on this would be helpful, or if you’re an user and you’re
actively using objects without organizations as globally shared objects.
This is an important security issue that is holding off the release, so
please speak up if you think users should see ‘untaxed objects’, otherwise
this will go in.
As a user, I think objects not belonging to an organisation are basically there for all … So I like the current "feature" tbh.
Envoyé de mon smartphone
···
> Le 8 avr. 2015 à 18:57, Eric D Helms a écrit :
>
> Are these scenarios only when viewing things within the UI?
>
>> On Wed, Apr 8, 2015 at 9:18 AM, Daniel Lobato Garcia wrote:
>> Hi devs,
>>
>> This 1.8 blocker https://github.com/theforeman/foreman/pull/2273, fixes
>> the CVE where users that belong in an organization are able to see stuff
>> outside their scope.
>>
>> However, I found that users that belong to an organization (i.e) are currently able to
>> see objects that are not assigned to any taxonomy. So user 'foo' in
>> organization 'bar' (just an example) can see:
>>
>> * Domains in organization 'bar' and suborganizations
>> * Domains without any organization
>>
>> I discussed it a bit on #theforeman-dev but there are opinions both for
>> and against letting users see 'untaxed' objects.
>>
>> Any advice on this would be helpful, or if you're an user and you're
>> actively using objects without organizations as globally shared objects.
>>
>> This is an important security issue that is holding off the release, so
>> please speak up if you think users should see 'untaxed objects', otherwise
>> this will go in.
>>
>> Thanks for the input,
>>
>> --
>> Daniel Lobato Garcia
>>
>> @eLobatoss
>> blog.daniellobato.me
>> daniellobato.me
>>
>> GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
>> Keybase: https://keybase.io/elobato
>>
>> --
>> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
In API there's the same situation. Usually API call uses "Any Context" so the
question is whether as a user assigned to org A and B you want to see domains
unassigned to any orgs with all domains assigned to A or B (and children and
parent orgs).
As said in other mails, both options seems could make sense. But rather than
making it another option and make taxonomies even more confusing I'd rather
change the whole "global" resources model so we have always some default org
that is hidden. But that's another story and I don't want to go off-topic
here.
Since I don't see one "correct" way and both use-cases are valid, I'd suggest
opening a new issue related to taxonomies tracker [1] and if anyone is
interested, they can start to think how to improve current state.
However, I found that users that belong to an organization (i.e) are
currently able to
see objects that are not assigned to any taxonomy. So user ‘foo’ in
organization ‘bar’ (just an example) can see:
Domains in organization ‘bar’ and suborganizations
Domains without any organization
I discussed it a bit on #theforeman-dev but there are opinions both for
and against letting users see ‘untaxed’ objects.
Any advice on this would be helpful, or if you’re an user and you’re
actively using objects without organizations as globally shared objects.
This is an important security issue that is holding off the release, so
please speak up if you think users should see ‘untaxed objects’, otherwise
this will go in.
> Are these scenarios only when viewing things within the UI?
Nope, that's for both UI and API and any access the user has over
objects.
Making it toggleable is possible but we would like to choose a default
for what things should look like right after this PR, in my opinion
these objects should still be visible under 'Any context' as I said on
the PR discussion.
···
On 04/08, Eric D Helms wrote:
On Wed, Apr 8, 2015 at 9:18 AM, Daniel Lobato Garcia elobatocs@gmail.com > wrote:
However, I found that users that belong to an organization (i.e) are
currently able to
see objects that are not assigned to any taxonomy. So user ‘foo’ in
organization ‘bar’ (just an example) can see:
Domains in organization ‘bar’ and suborganizations
Domains without any organization
I discussed it a bit on #theforeman-dev but there are opinions both for
and against letting users see ‘untaxed’ objects.
Any advice on this would be helpful, or if you’re an user and you’re
actively using objects without organizations as globally shared objects.
This is an important security issue that is holding off the release, so
please speak up if you think users should see ‘untaxed objects’, otherwise
this will go in.
Just a warning in case users are already using objects without
location/organization as 'globally shared' objects, in order to do so
you'd have to add the object to all taxonomies so it's available for
all users. We should put something like that on the release notes.
···
On Thu, Apr 9, 2015 at 3:07 PM, Lukas Zapletal wrote:
>> Config setting makes sense to me, too. "Objects not in an organization are
>> a) visible to all users b) hidden from all users"
>
> If we are going to implement, I vote for (b) to be the default value as
> a safer option.
>
> --
> Later,
> Lukas #lzap Zapletal
>
> --
> You received this message because you are subscribed to the Google Groups "foreman-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
