- edited description
It is possible to deploy without permissions
Hi,
I am currently testing this plugin. It looks promising but it was possible to bypass permission checking.
Steps to reproduce:
- Create a user with permissions only to deploy on a single environment
- Get id of another environment (on which the new user does not have permission to deploy)
- Log in as the new user
- Deploy recording the network traffic (e.g. F12 in firefox)
- Change environment id (use edit and resend in firefox) in post to /plugins/servlet/deploy/customdeploystart
Deployment works and I can even see which user has run the deployment.
Comments (6)
-
reporter -
repo owner - changed status to resolved
Thank you for raising the issue ! I will publish in next few minutes the fix in the marketplace.
Julius
-
reporter Thanks for very quick fix!
I have checked and can confirm that after your fix it is not possible to deploy without permission to an environment. However it still returns 302 http status instead of 403 like normal deployment does. Maybe you can fix it to (however it is a minor issue)?
-
repo owner Hi, I know is doing a redirect and status is not quite visible. I will try to add tomorrow a simple error page with failure reason instead of redirect to environment page
-
repo owner Basic error pages are up and new version in marketplace.
Julius
-
reporter It works as expected. Thank you again!
- Log in to comment