Users with role "user" can view config #1004
Comments
|
Thanks for catching this! I think #963 should fix it though, where we have a "whitelist" for pages that are open to the general public. For now, it's only "/view/director", "/view/registry", and "/view" (for the server selection page), other pages should be protected behind admin auth. |
|
@haoming29 Wouldn't I be able to login as user and hit the api though? |
|
ah you are right. The API is also not protected by admin auth. Will have a separate PR to address all the issues here |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Pelican Version: Latest
Pelican Service:
Describe the bug
A clear and concise description of what the bug is.
If I login through CIlogon and gain the role of a user I can view the config.
{"authenticated":true,"role":"user","user":"http://cilogon.org/serverA/users/46022246"}To Reproduce
Steps to reproduce the behavior.
Go to the registry page: https://osdf-registry.osg-htc.org/view/registry/
Sign in via CIlogon with a non admin account and view the config.
Expected behavior
A clear and concise description of what you expected to happen.
I expect the config to return a 403 which will redirect the user.
The text was updated successfully, but these errors were encountered: