Clicking on <agent> of a build result reveals details of all run builds, not only for the ones for which a non-Admin user has View permission

2019-09-03T18:28:49
ID ATLASSIAN:BAM-20609
Type atlassian
Reporter gforster@atlassian.com
Modified 2019-09-24T13:19:08

Description

h3. Issue Summary h3. Environment

This issue is approved to happen for Bamboo version 6.7.2 and 6.9.1, likely it happens for all Bamboo versions. h3. Steps to Reproduce # Define a non-Admin user (a Bamboo admin should already exist via installation) # Provide global, project and plan permissions, anything just not Admin, to this user # Run a build plan which this non-Admin user is allowed to execute # Navigate to the "Build dashboard" >> click on the running build showing the agent it runs on (or on any already run build also indicating the agent it run on) >> Click on the agent link

This brings you to the Agent summary > agent page ([http://bamboo-server-name/agent/viewAgents.action?agentId=x]). h3. Expected Results

Under tab "Recent builds" you only find builds that this non-Admin user has View permission for. And of this user all the recent or currently running builds are supposed to show up with all details such as "triggered by", completed when, run duration and build status. h3. Actual Results

Under tab "Recent builds" you can find all builds, not only the ones this non-Admin user has View permission for, with the full set of information. h3. Notes

This behavior can be regarded as an information leak, at least in the sense that non authorized users are able to see information which is not theirs. h3. Workaround

Currently there is no known workaround for this behavior. It will be added here when available.