Gabriel Roldan ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A54db8b09-1e64-436a-adac-248049585cee ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-10074?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) GEOS-10074 ( https://osgeo-org.atlassian.net/browse/GEOS-10074?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) GeoFence "Admin rules" grant "ADMIN" access to unauthorized users ( https://osgeo-org.atlassian.net/browse/GEOS-10074?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) Issue Type: Bug Affects Versions: 2.19.0 Assignee: Gabriel Roldan ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A54db8b09-1e64-436a-adac-248049585cee ) Attachments: image-2021-05-21-15-27-39-296.png, image-2021-05-21-15-28-19-481.png Components: GeoFence Created: 21/May/21 8:28 PM Priority: Medium Reporter: Gabriel Roldan ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A54db8b09-1e64-436a-adac-248049585cee ) Initially reported as a geofence issue ( https://github.com/geoserver/geofence/issues/140 ) about a year ago. The mere existence of Admin Rules grant admin access to all workspaces for which an admin rule exists to all users. To reproduce: $ cp -rf data/release /tmp/data_dir $ mvn -f src/web/app -Pgeofence-server \ -DGEOSERVER_DATA_DIR=/tmp/data_dir \ -Djava.net.preferIPv4Stack=true \ jetty:run Create the following users and roles: User Role sf_admin SF_ADMIN sf_user SF_USER topp_admin TOPP_ADMIN topp_user TOPP_USER Set up the following GeoFence "Data Rules": ( https://osgeo-org.atlassian.net/secure/attachment/33706/33706_image-2021-05-21-15-27-39-296.png ) Set up the following GeoFence "Admin Rules": ( https://osgeo-org.atlassian.net/secure/attachment/33705/33705_image-2021-05-21-15-28-19-481.png ) ( https://osgeo-org.atlassian.net/browse/GEOS-10074#add-comment?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-10074#add-comment?atlOrigin=eyJpIjoiNTIwMTI0MmM5MDIzNGZjMDk0NzVjMjZhMzA0ZGVjMGYiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100162- sha1:2e82ed7 )
_______________________________________________ Geoserver-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-devel
