ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nitin Galave <nitin.gal...@gmail.com>
Subject Review Request 67624: RANGER-2130: Ranger Admin - client-side control bypass
Date Mon, 18 Jun 2018 06:02:09 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67624/
-----------------------------------------------------------

Review request for ranger, Gautam Borad, Mehul Parikh, Pradeep Agrawal, and Velmurugan Periasamy.


Bugs: RANGER-2130
    https://issues.apache.org/jira/browse/RANGER-2130


Repository: ranger


Description
-------

In the rangeradmin ui, on the users page, after clicking on a user. If you edit the html on
the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User becomes
ungreyed out and you can change the role from User to Admin!
Also user able to see other role in the system.


Diffs
-----

  security-admin/src/main/webapp/scripts/models/VXPortalUser.js 0292ceb 
  security-admin/src/main/webapp/scripts/views/users/UserForm.js ee0d256 


Diff: https://reviews.apache.org/r/67624/diff/1/


Testing
-------

1. Any Users can not change their role through profile page option even after enabling role
field throught inspect element chrome feature.(Also user can't see other role in the role
drop-down)
2. Admin is able to change other Admin user’s role.
3. Admin is able to view & update other user's roles through UI 
4. Other Admin role user able change role of user which has name "admin".


Thanks,

Nitin Galave


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message