Details
-
Bug
-
Resolution: Fixed
-
Major
-
None
-
None
-
We run Observium CE version 0.14.4.5185
Description
Account "user1", with access level "Normal User" has configured access to device "server1". That server shares network segment with some other servers and for example "router1"
When user1 go to see his server's port status, in the Details page, he will find all the others servers information like:
- names used in observium,
- interfaces names, like Eth0
- IP addresses (in this shared segment)
- name, port name/number on the router1
Even the labels are not links, and user1 can't go further accessing more information about other devices, I don't think that information must be available to him.
I file this bug, because that prevents me to give my client access to the monitoring.
Link to the mailing list: http://postman.memetic.org/pipermail/observium/2014-July/007197.html
Best Regards!
Attachments
Activity
Attached path will hide shared subnet devices, if user does not have access.
About alert list I think that should already be solved, but I do not use it so cannot confirm 100%.
I don't mind device names or interface names being shown, but right now normal users can see the alert list and all the alert rules making it a problem for me to allow any access to customer ports at this point.
In the same vein, normal users without any permissions might access the alerts and alert checkers, this is wrong too.
Fixed in r7667.