Gabriel Roldan created an issue |
GeoFence “Admin rules” grant “ADMIN” access to unauthorized users |
Issue Type: |
Bug |
---|---|
Affects Versions: |
2.19.0 |
Assignee: |
|
Attachments: |
image-2021-05-21-15-27-39-296.png, image-2021-05-21-15-28-19-481.png |
Components: |
GeoFence |
Created: |
21/May/21 8:28 PM |
Priority: |
Medium |
Reporter: |
Initially reported as a geofence issue about a year ago.
The mere existence of Admin Rules grant admin access to all workspaces for which an admin rule exists to all users.
To reproduce:
$ cp -rf data/release /tmp/data_dir
$ mvn -f src/web/app -Pgeofence-server \
-DGEOSERVER_DATA_DIR=/tmp/data_dir \
-Djava.net.preferIPv4Stack=true \
jetty:run
Create the following users and roles:
User |
Role |
---|---|
sf_admin |
SF_ADMIN |
sf_user |
SF_USER |
topp_admin |
TOPP_ADMIN |
topp_user |
TOPP_USER |
Set up the following GeoFence “Data Rules”:
Set up the following GeoFence “Admin Rules”:
Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS |
|
This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100162-sha1:2e82ed7) |