Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Make listing users and groups a privileged endpoint #5002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Tracked by #4748
sharkymark opened this issue Nov 10, 2022 · 6 comments · Fixed by #8650
Closed
Tracked by #4748

Make listing users and groups a privileged endpoint #5002

sharkymark opened this issue Nov 10, 2022 · 6 comments · Fixed by #8650
Assignees
@Emyrk

Comments

@sharkymark
Copy link
Contributor

sharkymark commented Nov 10, 2022
edited by Emyrk
Loading

Objective

  • Regular members on coder will not be able to list or read other members/users.
  • To maintain good UX, context information of created_by will be kept on templates, workspace builds, etc. This will require the read permission on the primary resource being fetched. Included user info will be username and avatar_url.
  • A new route will be added to list username + avatar of all users. This endpoint is only usable if a user has "admin" perms on a given template so they can adjust the permissions for said template.

Related:

Version: v0.12.5+165b6fb

I'll post again for visibility but it seems like an anti-pattern to show the Users UI to any user.

This view shows users' roles so a form of social engineering could occur.

Groups are shown as well, which does seem secure.

If the other issue is being worked, great, but empathizing again.

Lastly, if a large deployment, this is a waste of DB calls if someone bounced onto it.

image
image
@sharkymark sharkymark changed the title feat: show all Users and Groups to any role feat: do not show all Users and Groups to any role Nov 10, 2022
@bpmct bpmct mentioned this issue Nov 10, 2022
Closed
21 tasks
@sharkymark sharkymark mentioned this issue Nov 14, 2022
Closed
@Emyrk
Copy link
Member

Emyrk commented Nov 14, 2022
edited
Loading

We need to change this assumption and correct the db calls:

coder/coderd/rbac/builtin.go

Lines 204 to 205 in 88e24db

ResourceType: ResourceGroup.Type,
Action: ActionRead,

@mtojek
Copy link
Member

mtojek commented Nov 21, 2022

I can take this task unless somebody else planned to work on it. I see 2 approaches we can apply here.

Approach 1: Normal users don't see the Users tab

  1. Site: Hide the Users tab
  2. Backend: check user permissions while accessing Users API and Groups API.

Approach 2: Leave Groups sub-tab

  1. Site: Leave the Users tab, but hide the sub-tab Users.
  2. Site: Remove the Users column (avatars) from the Groups sub-tab. Theoretically, you can use this information to figure out who is the admin.
  3. Backend: check user permissions while accessing Users API.
  4. Backend: remove user references (avatar, login, email) from the Groups API.

@sharkymark Which approach do you think will be more convenient for customers? From a security perspective, it depends if there can be secret groups, which should be hidden the same way as users.

Side issue: Groups API and User API return email addresses. I have a feeling that we should limit this behavior...

@mtojek mtojek mentioned this issue Nov 28, 2022
Closed
@bpmct bpmct closed this as not planned Won't fix, can't repro, duplicate, stale Nov 30, 2022
@bpmct bpmct reopened this Nov 30, 2022
@bpmct bpmct mentioned this issue Nov 30, 2022
Closed
@klauserber
Copy link

We are running IT workshops on coder (#5058) and on every workshop start I have to talk with the participants about leaking there eMails addresses or may use fake addresses to register.

Would be good to know if and how this behaviour will be changed in future. May we have to use 'synthetic' emails addresses for every user, but this is a more or less ugly workaround.

With other words, a solution from coder would be very nice.

@Emyrk
Copy link
Member

Emyrk commented Jan 2, 2023

Just want to add if we remove the read permission from User resource, we should also do something about the organization-member role.

I wonder if this is something orgs can do. Preventing users from seeing members in different organizations.

@Emyrk Emyrk mentioned this issue Mar 24, 2023
Closed
@Emyrk
Copy link
Member

Emyrk commented Mar 24, 2023

@sharkymark Should we always hide groups? Should there be public and private groups? Should we show private groups if you are a member? Should we hide all users always to other members?

@bpmct
Copy link
Member

bpmct commented Mar 24, 2023

Should we always hide groups?

Let's only show user what groups they are in, perhaps in the account dropdown as pills.

Should we hide all users always to other members?

would users be able to join public groups? is that how it works? I don't think we need to do this immediately

Should we hide all users always to other members?

yes

Should we show private groups if you are a member?

Let's only show user what groups they are in, perhaps in the account dropdown as pills.

@kylecarbs kylecarbs changed the title feat: do not show all Users and Groups to any role Make listing users a privileged endpoint Apr 3, 2023
@kylecarbs kylecarbs changed the title Make listing users a privileged endpoint Make listing users and groups a privileged endpoint Apr 3, 2023
@bpmct bpmct added this to the ❓Sprint 2 milestone Jun 14, 2023
@ammario ammario removed this from the ❓Sprint 2 milestone Jun 29, 2023
@bpmct bpmct mentioned this issue Jul 6, 2023
Closed
@Emyrk Emyrk self-assigned this Jul 10, 2023
@Emyrk Emyrk mentioned this issue Jul 12, 2023
Closed
4 tasks
@matifali matifali mentioned this issue Jul 17, 2023
Closed
This was referenced Jul 17, 2023
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Emyrk Emyrk

Labels
None yet
Projects
None yet
Milestone
No milestone
7 participants
@sharkymark @Emyrk @ammario @klauserber @matifali @mtojek @bpmct