MAAS

Users are able to change the os and release when node is not acquired

Bug #1378936 reported by Blake Rouse on 2014-10-08

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	High	Newell Jensen	MAAS 1.7.0

Currently a user can change the os and release without the node being allocated. This should not be allowed until the node is allocated.

Jeroen T. Vermeulen (community): Approve on 2014-10-17

Revision history for this message

Julian Edwards (julian-edwards) wrote on 2014-10-09:

Isn't this a security problem (DoS)? I think these values only get reset when releasing, right? It would leave a nasty surprise for someone.

Changed in maas:
importance:	Medium → Critical
milestone:	none → 1.7.0
summary:	Users should not be able to change the os and release if node not - required + acquired
summary:	- Users should not be able to change the os and release if node not - acquired + Users are able to change the os and release when node is not acquired

Revision history for this message

Christian Reis (kiko) wrote on 2014-10-09:

It can be argued it's a security issue, but it's a minor one -- someone can trick another user to using a specific image instead of the default.

Anyway, let's disallow this for non-admin users. Explicitly, if you're not an admin, you can't change the OS/Release information until it's acquired.

Changed in maas:
importance:	Critical → High

Christian Reis (kiko) on 2014-10-09

Changed in maas:
assignee:	nobody → Newell Jensen (newell-jensen)

Christian Reis (kiko) on 2014-10-16

Changed in maas:
milestone:	1.7.0 → next

MAAS Lander (maas-lander) on 2014-10-19

Changed in maas:
status:	Triaged → Fix Committed

Christian Reis (kiko) on 2014-10-20

Changed in maas:
milestone:	next → 1.7.0

Julian Edwards (julian-edwards) on 2014-11-19

Changed in maas:
status:	Fix Committed → Fix Released

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Bug watches keep track of this bug in other bug trackers.