Team user can access os versions (with CVEs) that belong to hosts they don't have access to

Open getvictor opened this issue 1 year ago • 0 comments

Fleet version: 4.45.0 Web browser and operating system:

💥 Actual behavior

Team user accessing os version on another team gets a valid response from API endpoint: GET https://localhost:8080/api/v1/fleet/os_versions/5

This bug is similar to https://github.com/fleetdm/fleet/issues/16052 and the fix should be similar.

As a bonus, also modify the response for global admin user for a team that does not exist from a 403 to a 404 https://localhost:8080/api/v1/fleet/os_versions/5?team_id=99999

🧑‍💻 Steps to reproduce

See above.

🕯️ More info (optional)

N/A

🛠️ To fix

Mirror what was done for GET /api/v1/fleet/software/titles/:id and GET /api/v1/fleet/software/versions/:id

Feb 23 '24 13:02 getvictor