A scoped admin can download all API configuration

[ThibautGery]

A administrator scoped to a certain host can download all the API configurations which may be private (in my case, I add a private token in the header of the conf)

Is it a bug or a feature ? Would you accept a PR on this matter ?

[GUI]

This would definitely be a security bug.

In taking a quick look, is this via the import/export functionality, or are you seeing this in some other way? I think the import/export functionality pre-dated the admin scope permissions, and it looks like we might have missed adding the admin scope permissions in that area 😟. But now that seems like a pretty glaring oversight... So while it is limited to people with valid admin accounts, we definitely don't want admins to be able to view or edit anything outside their permission scopes.

As the import/export tool exists now, I think only superuser admins should have access to it. That would be the quickest fix, but would that work for you? Or are you interested in having admins with limited permissions also being able to import and export only their APIs? I can definitely see potential use-cases for that, it just makes fixing it a bit more involved (but certainly doable). So before making any changes, I was just curious about your potential use-cases.

And we'd accept any pull requests, but I'm also happy to fix this today. Thank you very much for bringing this to our attention.

[ThibautGery]

I don't have a use case. You should disable it for the scoped admin. I Will
let you fix it today, i won't be able to do it this week.

Thank you

[GUI]

I have a fix for this ready, but it will probably be tomorrow before I can get updated packages published with this fix. Thanks again for the notification about this.

[ThibautGery]

I am not in production yet, so it is not critical for me.

You're welcome.

2016-07-27 7:13 GMT+02:00 Nick Muerdter [email protected]:

I have a fix for this ready, but it will probably be tomorrow before I can
get updated packages published with this fix. Thanks again for the
notification about this.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#272 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AFlwwcvn7VR-eYAnoVMZLgUs7eiXUXEDks5qZujygaJpZM4JVUis
.

[GUI]

Sorry for the delay. This has been released in the v0.13.0 packages now available.

It turns out the entire import/export tool has been broken for a while (maybe 1-2 years), so to resolve this issue, we've actually removed the import/export tool entirely. You can see explanation in these commit comments: 9a88f7e and 53d1ef8.

Since this feature had been broken for a while, hopefully removing this feature won't have much affect. However, if anyone is interested in seeing this feature restored,, feel free to speak up.

Thanks again, @ThibautGery for brining this to our attention!