[OBS-4635] Search is not filtered based on device permissions - Observium

Details

Type: Bug
Resolution: Fixed
Priority: Major
Fix Version/s: None
Affects Version/s: Professional Edition
Component/s: Security
Labels:
None
Environment:
Observium 23.10.13049

Description

Search is not filtered based on device permissions. This leads to a info leak when providing restricted access for users on specific devices. Search results will include devices, sensors and other resources on devices which the user should not be able to see.

This appears to be because of using $GLOBALS['cache']['where']['device_permitted'] to generate the WHERE-clause, while the correct variable is $GLOBALS['cache']['where']['devices_permitted'].

I've attached a proposed patch.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

231012_observium_search_fix_devices_permitted.patch
9 kB
2023/10/12 01:53 PM

Activity

[OBS-4635] Search is not filtered based on device permissions

Mike Stupalov made changes - 2023/10/12 07:20 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Pending Response [ 10000 ]	New: Resolved [ 5 ]

Observium Bot made changes - 2023/10/12 01:58 PM

Status

Original: Open [ 1 ]

New: Pending Response [ 10000 ]

Vegar Løvås created issue - 2023/10/12 01:58 PM

People

Assignee:: Mike Stupalov

Reporter:: Vegar Løvås

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023/10/12 01:58 PM

Updated:: 2023/10/12 07:20 PM

Resolved:: 2023/10/12 07:20 PM