Role member suggestion endpoint is reachable for unauthorized users #4961

nilmerg · 2022-12-07T10:14:24Z

Describe the bug

Any logged in user can, with a specifically crafted request, retrieve role member suggestions. (User- and Usergroup-Names)

To Reproduce

Generic user X logs in to Icinga2.
- Captures icingaweb2 login cookies/session cookies
Retrieves suggestion using the request below

curl -L -X POST <IP>/icingaweb2/role/suggest-role-member?_disableLayout=1&showCompact=1' \
-H 'Origin: <IP>' \
-H 'Accept: */*' \
-H 'Content-Type: application/json' \
-H 'Cookie: Icingaweb2=<TOKEN>; icingaweb2-session=<session_EPOCH> \
--data-raw '{"term":{"label":"*"}}'

Expected behavior

Only users with the correct permission should be able to do this.

Additional context

https://rt.icinga.com/Ticket/Display.html?id=43448

The text was updated successfully, but these errors were encountered:

nilmerg self-assigned this Dec 7, 2022

nilmerg mentioned this issue Dec 7, 2022

RoleController: Always perform a permission check #4954

Merged

nilmerg added bug Something isn't working area/configuration Affects the configuration labels Dec 7, 2022

nilmerg closed this as completed in #4954 Dec 7, 2022

nilmerg added this to the 2.11.3 milestone Dec 8, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Role member suggestion endpoint is reachable for unauthorized users #4961

Role member suggestion endpoint is reachable for unauthorized users #4961

nilmerg commented Dec 7, 2022

Role member suggestion endpoint is reachable for unauthorized users #4961

Role member suggestion endpoint is reachable for unauthorized users #4961

Comments

nilmerg commented Dec 7, 2022

Describe the bug

To Reproduce

Expected behavior

Additional context