Permissions not checked when maniupulating cookbookds

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 0.9.16, 0.10.0
Fix Version/s: 0.9.18, 0.10.2
Component/s: Chef Server
Labels:
None

Description

While checking the permissions that the chef-validator client has (there should be a page somewhere that specifies what normal, admin and special clients can do), I found that ther are no restrictions on who can upload/delete cookbooks.

For example:

app\controller\users.rb

before :is_admin, :only => [ :create, :destroy, :update ]"

However, there is no such line in cookbooks.rb

Activity

Hide

Permalink

Daniel DeLeo added a comment - 29/Jun/11 7:57 PM

This is fixed and released.

Daniel, thank you for reporting this.

https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0

Show

Daniel DeLeo added a comment - 29/Jun/11 7:57 PM This is fixed and released. Daniel, thank you for reporting this. https://github.com/opscode/chef/commit/a4ea6edab2fecb922f999cffb0daa04eeeec7a26#diff-0

People

Assignee:

Daniel DeLeo

Reporter:

Daniel Oliver

Vote (0)

Watch (0)

Dates

Created:

23/Jun/11 10:53 AM

Updated:

29/Jun/11 7:57 PM

Resolved:

29/Jun/11 7:57 PM