Galaxy UI hides users/groups/roles from navigation pane in a client-side editable way

Hello.

I’m using galaxy-ng 4.9.2 via the galaxy-operator.

I’ve noticed a bug wherein you can intercept and proxy the response given from /api/galaxy/_ui/v1/me to view UI elements that probably aren’t intended to be viewed by a non-super user.

If you intercept the response from /api/galaxy/_ui/v1/me, edit the parameters model_permissions, username, is_superuser, and proceed down the UI, you will then be able to view the items under User Access that are normally invisible to the user. If you continue along with this proxy interception, you will be able to see the groups on the system as well as the roles. Note that you still cannot edit or create new groups, users, or roles as it seems like this check is still fully server-side, so this isn’t that concerning. However, it probably is unintended behavior.

An easy way to see a facsimile of this without request proxying is to create a non-superuser user, log in with its credentials, and then go to http://{galaxyservername}/ui/roles, and that user will be able to see the system roles. I assume this is not intentional since User Access is not visible on the user’s left window pane.

My apologies if my description of this is lacking. Basically, it seems the UI shows/hides the User Access pane and pages totally client-side, and this can theoretically be intercepted by a user and they can gain read-only rights to see things they probably aren’t normally intended to see. They can’t edit/create them, though.

It’s true that the UI does expose elements conditionally based on what information it finds about you in the _ui/v1/me/ response, however the backend fully controls the RBAC on what data a user can see.

The majority of the definitions about who can see what are defined in this file: https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/access_control/statements/standalone.py

It currently states that that any “authenticated” user can list and retrieve groups …

So while that may be suprising, it is currently how the system is designed.

If you’d like that to change or have concerns, please file a ticket in our issue tracker https://issues.redhat.com/projects/AAH