User able to access API endpoint without required permissions.
In amorphic we have different set of permissions to access different components and features. This permissions are given to an amorphic role and user who have access to these role can use those features. This bug is relate to an issue that is users were able to call specific APIs and use those features in Amoprhic even if their role doesn't have the required permission.
Affected Versions: 2.6.1 and below
Fix Version: 2.7
Root cause(s)
Users were able to call few api endpoints with a role which doesn't have permission to call those endpoints. The APIs endpoints and requrired permissions to call these endpoint are
| API endpoint | Required permissions |
|---|---|
| /verticals | verticals.list, vertical.view, vertical.update |
/datasets/{id}/dataloads | datasets.list, users.list, groups.list |
| /dr-information | systemhealth.view |
The users could call these endpoints even with a role which doesn't have above mentioned permissions.
Impact
Any users could call these endpoints mentions in Root cause(s) section with any role they have assigned to.
Mitigation
Fix will be available in Amorphic version 2.7.
Timeline
gantt
title Timeline
dateFormat YYYY-MM-DD
tickInterval 7day
axisFormat %b-%d
todayMarker off
section Tracker
%% update the ticket number and date of bug report
CLOUD-4917 : done, 2024-08-29, 0d
section Identification
Reported : crit, des1, 2024-08-29, 0d
section Mitigation
%% Update number of days took for each step below
Bug fixed: milestone, 2024-09-01, 1d
section Delivery
%% update the date of each step below
testing complete: milestone, 2024-09-27, 1d
fix available: milestone, 2024-10-14, 1d
- 2024-08-29: Bug reported/identified (CLOUD-4917)
- 2024-08-29: Bug triaged
- 2024-09-01: Bug fixed
- 2024-09-27: Testing of fix is completed
- 2024-10-14: Amorphic version 2.7 released with the bugfix