Users are able to change the os and release when node is not acquired

Bug #1378936 reported by Blake Rouse on 2014-10-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
High
Newell Jensen

Bug Description

Currently a user can change the os and release without the node being allocated. This should not be allowed until the node is allocated.

Related branches

Julian Edwards (julian-edwards) wrote :

Isn't this a security problem (DoS)? I think these values only get reset when releasing, right? It would leave a nasty surprise for someone.

Changed in maas:
importance: Medium → Critical
milestone: none → 1.7.0
summary: Users should not be able to change the os and release if node not
- required
+ acquired
summary: - Users should not be able to change the os and release if node not
- acquired
+ Users are able to change the os and release when node is not acquired
Christian Reis (kiko) wrote :

It can be argued it's a security issue, but it's a minor one -- someone can trick another user to using a specific image instead of the default.

Anyway, let's disallow this for non-admin users. Explicitly, if you're not an admin, you can't change the OS/Release information until it's acquired.

Changed in maas:
importance: Critical → High
Christian Reis (kiko) on 2014-10-09
Changed in maas:
assignee: nobody → Newell Jensen (newell-jensen)
Christian Reis (kiko) on 2014-10-16
Changed in maas:
milestone: 1.7.0 → next
Changed in maas:
status: Triaged → Fix Committed
Christian Reis (kiko) on 2014-10-20
Changed in maas:
milestone: next → 1.7.0
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers