Project

General

Profile

Bug #23332

Security

Added by Stephen White about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
09/25/2019
Due date:
% Done:

100%

Estimated time:
First Occurred:
Scope:
Internal
Experiment:
-
Stakeholders:
Duration:

Description

A) Switching from production in experiment A to analysis in experiment B leaves user with production abilities.
1) Turn off root for yourself.
2) Have production in for DUNE and analysis for SAMDEV
3) On the main page I changed myself to DUNE production
4) Now change to SAMDEV
5) The URL shows production, but the dropdown shows analysis. The forms allow production access.

B) Manually changing the link from analysis to production gives access to production data.
Note: changing the experiment in the link IS caught. We need to add a test for role at this same point.

History

#1 Updated by Marc Mengel about 2 months ago

  • % Done changed from 0 to 90
  • Status changed from New to Resolved

So the security bug is fixed; but now of course the user gets a permission denied error page, and has to go back in their browser, change role first, then change experiment...

Better we should know what their max level is for each experiment, and if they switch experiments to a role they don't have, knock the role down too..

#2 Updated by Marc Mengel about 2 months ago

Ah... this all gets redirected through update_session_experiment, so we can check there...

#3 Updated by Marc Mengel about 2 months ago

  • % Done changed from 90 to 100

OKay, so now f017d1d2 we knock you down to your max role if switching to an eperiment where you cannot go as high as you are now.



Also available in: Atom PDF