ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Velmurugan Periasamy <vperias...@hortonworks.com>
Subject Re: Review Request 67624: RANGER-2130: Ranger Admin - client-side control bypass
Date Thu, 21 Jun 2018 13:27:21 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/67624/#review205168
-----------------------------------------------------------


Ship it!




Ship It!

- Velmurugan Periasamy


On June 18, 2018, 6:02 a.m., Nitin Galave wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/67624/
> -----------------------------------------------------------
> 
> (Updated June 18, 2018, 6:02 a.m.)
> 
> 
> Review request for ranger, Gautam Borad, Mehul Parikh, Pradeep Agrawal, and Velmurugan
Periasamy.
> 
> 
> Bugs: RANGER-2130
>     https://issues.apache.org/jira/browse/RANGER-2130
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> In the rangeradmin ui, on the users page, after clicking on a user. If you edit the html
on the site (ie in Chrome) you can remove the 'disabled' tag so that the role of User becomes
ungreyed out and you can change the role from User to Admin!
> Also user able to see other role in the system.
> 
> 
> Diffs
> -----
> 
>   security-admin/src/main/webapp/scripts/models/VXPortalUser.js 0292ceb 
>   security-admin/src/main/webapp/scripts/views/users/UserForm.js ee0d256 
> 
> 
> Diff: https://reviews.apache.org/r/67624/diff/1/
> 
> 
> Testing
> -------
> 
> 1. Any Users can not change their role through profile page option even after enabling
role field throught inspect element chrome feature.(Also user can't see other role in the
role drop-down)
> 2. Admin is able to change other Admin user’s role.
> 3. Admin is able to view & update other user's roles through UI 
> 4. Other Admin role user able change role of user which has name "admin".
> 
> 
> Thanks,
> 
> Nitin Galave
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message