Galaxy UI hides users/groups/roles from navigation pane in a client-side editable way

mcen1 · June 19, 2024, 1:57pm

Hello.

I’m using galaxy-ng 4.9.2 via the galaxy-operator.

I’ve noticed a bug wherein you can intercept and proxy the response given from /api/galaxy/_ui/v1/me to view UI elements that probably aren’t intended to be viewed by a non-super user.

If you intercept the response from /api/galaxy/_ui/v1/me, edit the parameters model_permissions, username, is_superuser, and proceed down the UI, you will then be able to view the items under User Access that are normally invisible to the user. If you continue along with this proxy interception, you will be able to see the groups on the system as well as the roles. Note that you still cannot edit or create new groups, users, or roles as it seems like this check is still fully server-side, so this isn’t that concerning. However, it probably is unintended behavior.

An easy way to see a facsimile of this without request proxying is to create a non-superuser user, log in with its credentials, and then go to http://{galaxyservername}/ui/roles, and that user will be able to see the system roles. I assume this is not intentional since User Access is not visible on the user’s left window pane.

My apologies if my description of this is lacking. Basically, it seems the UI shows/hides the User Access pane and pages totally client-side, and this can theoretically be intercepted by a user and they can gain read-only rights to see things they probably aren’t normally intended to see. They can’t edit/create them, though.

tannerjc · June 27, 2024, 4:21am

It’s true that the UI does expose elements conditionally based on what information it finds about you in the _ui/v1/me/ response, however the backend fully controls the RBAC on what data a user can see.

The majority of the definitions about who can see what are defined in this file: https://github.com/ansible/galaxy_ng/blob/master/galaxy_ng/app/access_control/statements/standalone.py

It currently states that that any “authenticated” user can list and retrieve groups …

github.com

ansible/galaxy_ng/blob/master/galaxy_ng/app/access_control/statements/standalone.py#L79-L84


      
          _group_role_statements = [
              {
                  "action": ["list", "retrieve"],
                  "principal": "authenticated",
                  "effect": "allow",
              },

So while that may be suprising, it is currently how the system is designed.

If you’d like that to change or have concerns, please file a ticket in our issue tracker https://issues.redhat.com/projects/AAH

system · July 27, 2024, 4:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Management of Namespace Owners in Galaxy Get Help galaxy-ng	8	232	October 19, 2023
Missing group access in ansible galaxy - can't maintain my roles Get Help galaxy-ng , galaxy	2	183	December 20, 2023
My Content section and importing new releases in new galaxy.ansible.com Get Help galaxy-ng	2	264	October 2, 2023
Logged in as different users on Ansible Galaxy Get Help galaxy-ng	4	406	October 3, 2023
New Ansible Galaxy Web Portal - where is all the old Role admin functionality? Get Help galaxy-ng	1	281	November 14, 2023

Galaxy UI hides users/groups/roles from navigation pane in a client-side editable way

Related topics