Page 1 of 1
Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 3:59 pm
by BanditBBS
I was just giving a demo in join.me to a customer and I masqueraded as her. Everything was fine until I clicked on the "Scheduled Downtime" link. It shows everything for all customers!
Can someone else verify this is not just something screwy in my environment.
Re: Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 4:02 pm
by rkennedy
Was she an admin, or user - and, what privileges does she have enabled?
A screenshot of her 'Edit User' page will work to answer this. I'll try to replicate it on my end.
Also - what version of XI are you on currently?
Re: Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 4:14 pm
by BanditBBS
Re: Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 4:52 pm
by rkennedy
I can confirm, that with those privileges a user can see all OTHER scheduled downtime. When they try to schedule host downtime, it will only allow them to host / services they have access to.
Is this what you were referring to?
Re: Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 5:05 pm
by BanditBBS
Yeah, they shouldn't be able to see the other downtimes. They don't have permissions to see those items anywhere else within Nagios except on that downtime page.
Re: Multi-tenancy issue!!!
Posted: Thu Feb 25, 2016 5:42 pm
by lmiltchev
I was also able to recreate the issue, and I believe this is a bug. I filed an internal bug report (TASK ID 7876).