Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Normal
Fix Version/s: 6.18.0
Affects Version/s: 6.15.0, 6.16.0, 6.17.0
Component/s: Registration
Labels:
- team-triaged
- triaged

Story Points:
5
Target Version:

6.18.0
Blocked:
False
GitHub Issue:
https://github.com/theforeman/foreman/pull/10535
Severity:
Moderate
AssignedTeam:
sat-endeavour

Release Note Type:
None
Release Note Text:
None
Release Note Status:
None

PX Impact Score:
SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Test Coverage:

Automated

Market:

Description of problem:

A user with no assigned roles is able to access the https://satellite.example.com/hosts/register page. This is a security concern as it allows unauthorized users to access a registration interface, which should be restricted.

How reproducible:

100%

Is this issue a regression from an earlier version:

Steps to Reproduce:

1. Create a user account with no assigned roles in Satellite.

2. Log in with this user and navigate to https://satellite.example.com/hosts/register.

3. Observe that the page is accessible instead of displaying a "No Permission" error.

Actual behavior:

Users without roles can still access the /hosts/register page.

Expected behavior:

As the user does not have any privileges, so Permission denied should be visible for all the pages for satellite.

Business Impact / Additional info:

Security threat.

1.	[QE Automation] Access to the registration page is denied for non-admin user #18652		Closed		Amol Patil
2.	Insufficient Page Authorization		Closed		Amol Patil

Assignee:: Leos Stejskal

Reporter:: Satyajit Das

QA Contact:: Amol Patil

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/03/09 4:54 PM

Updated:: 2025/10/10 9:55 AM

Resolved:: 2025/06/09 12:22 PM

Details

Description

Attachments

Easy Agile Planning Poker

Sub-Tasks

Activity

People

Dates