action #18594
closed
[tools][sprint 201712.1][bonus] Worker page is accessible without logging in
Added by szarate about 7 years ago.
Updated over 6 years ago.
Category:
Feature requests
Description
If an unauthenticated user tries to navigate to one of the worker details page, he can see all the details.
At least he can't modify any of the jobs, but still, while it's not a security issue, i don't think that it should be available for the public, or at least not under /admin (in case we want to allow the public to access this page)
https://openqa.suse.de/admin/workers/141
We recently changed the behaviour to make more pages accessible to non-admin users. I don't think that it is a problem to have the page available under "/admin/" because "admin" says it's intended for administration, not that you need to be an admin.
- Target version set to Ready
indeed - the JOBTOKEN might be a 'leak' though.
Hiding it for non-admins sounds like a nice entrance level issue though
- Status changed from New to In Progress
- Target version changed from Ready to Current Sprint
first try seems a wrong direction to change worker route with auth...
focus on 'hiding'...
- Subject changed from Worker page is accessible without logging in to [tools][bonus] Worker page is accessible without logging in
wait. I remember that originally mkittler developed based on my request that these pages are accessible so that anyone can check read-only the status of workers. Hiding the page completely should not be the way to go.
just for the record: we're talking about hiding details on the page - not the page itself.
- Status changed from In Progress to Resolved
- Subject changed from [tools][bonus] Worker page is accessible without logging in to [tools][sprint 201712.1][bonus] Worker page is accessible without logging in
- Target version changed from Current Sprint to Milestone 12
Also available in: Atom
PDF