Issue Number | 5354 |
---|---|
Summary | Suppress ad-hoc query page for unprivileged users |
Created | 2024-12-20 11:44:47 |
Issue Type | Improvement |
Submitted By | Kline, Bob (NIH/NCI) [C] |
Assigned To | Kline, Bob (NIH/NCI) [C] |
Status | QA Verified |
Resolved | 2024-12-20 12:18:11 |
Resolution | Fixed |
Path | /home/bkline/backups/jira/ocecdr/issue.484517 |
Prevent users who are not members of the Board Managers, CIAT/OCC, or Developers menu group from seeing or using the ad-hoc query page.
Acceptance criteria:
log on to CDR admin using an account which is a member of at least one of the groups named above
verify that the footer contains a link labeled Queries
verify that the link brings up a separate browser tab with the title CDR Stored Database Queries
confirm that stored queries can be selected and run, and that new queries can be run successfully
run the query
SELECT title FROM document WHERE id = 49
and confirm that
it runs successfully
submit the query
UPDATE document SET title = 'bogus' WHERE id = 49
and
confirm that it is rejected
log off
open https://cdr-qa.cancer.gov/cgi-bin/cdr/Admin.py?Session=guest in your browser (adjusting the URL to match the tier on which you are testing)
verify that the Queries link does not appear in the footer
open https://cdr-qa.cancer.gov/cgi-bin/cdr/CdrQueries.py?Session=guest in your browser (adjusting the URL to match the tier on which you are testing)
confirm that the notification "Not permitted" is displayed
This has been implemented on CDR QA. Please test, ~oseipokuw .
Verified on QA. Thanks!
Good, thanks. I'll get CBIIT to patch STAGE and we can have them re-run the scan. Will keep you posted.
NCI-RITM0569410 is the ticket for having CBIIT patch CDR STAGE. ~oseipokuw is the watcher.
It looks like CBIIT has patched STAGE. The acceptance criteria passed on STAGE. Let me know if I should inform CBIIT that the vulnerability has been addressed.
Elapsed: 0:00:00.001370