MAAS

get_machine_edit_form not validating from RBAC

Bug #1825104 reported by Lee Trager on 2019-04-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Triaged	Medium	Unassigned	MAAS 3.5.x

Bug Description

The MAAS websocket and API both use get_machine_edit_form, get_node_edit_form, and get_machine_create_form to determine which form should be used when editing or creating a Node/Machine. The function only checks admin status with user.is_superuser, it should be using user.has_perm(NodePermission.admin, node)

Tags:

Alberto Donato (ack) on 2019-09-24

Changed in maas:
status:	New → Triaged

Jerzy Husakowski (jhusakowski) on 2023-04-13

summary:	- [RBAC] get_machine_edit_form not validating from RBAC + get_machine_edit_form not validating from RBAC
Changed in maas:
importance:	Undecided → Medium
milestone:	2.6.0 → 3.5.0

Anton Troyanov (troyanov) on 2024-03-05

Changed in maas:
milestone:	3.5.0 → 3.5.x

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.