Uploaded image for project: 'Observium'
  1. Observium
  2. OBS-4635

Search is not filtered based on device permissions

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Major
    • None
    • Professional Edition
    • Security
    • None
    • Observium 23.10.13049

    Description

      Search is not filtered based on device permissions. This leads to a info leak when providing restricted access for users on specific devices. Search results will include devices, sensors and other resources on devices which the user should not be able to see.

      This appears to be because of using $GLOBALS['cache']['where']['device_permitted'] to generate the WHERE-clause, while the correct variable is $GLOBALS['cache']['where']['devices_permitted'].

      I've attached a proposed patch.

      Attachments

        Activity

          People

            landy Mike Stupalov
            vegarl Vegar Løvås
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: