Project

General

Profile

Bug #23333

Security Hole

Added by Stephen White about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
Start date:
09/25/2019
Due date:
% Done:

100%

Estimated time:
First Occurred:
Scope:
Internal
Experiment:
-
Stakeholders:
Duration:

Description

A) Switching from production in experiment A to analysis in experiment B leaves user with production abilities.
1) Turn off root for yourself.
2) Have production in for DUNE and analysis for SAMDEV
3) On the main page I changed myself to DUNE production
4) Now change to SAMDEV where you only have analysis role.
5) The URL shows production, but the dropdown shows analysis. The forms allow production access.

B) Manually changing the link from analysis to production gives access to production data.
Note: changing the experiment in the link IS caught. We need to add a test for role at this same point.

History

#1 Updated by Stephen White about 2 months ago

  • Description updated (diff)

#2 Updated by Marc Mengel about 2 months ago

  • % Done changed from 0 to 100
  • Status changed from New to Resolved


Also available in: Atom PDF