Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Security gap in approval workflow allows creator of the task to self-approve #14337

Closed
mgorsk1 opened this issue Dec 11, 2023 · 0 comments · Fixed by #14338
Closed

bug: Security gap in approval workflow allows creator of the task to self-approve #14337

mgorsk1 opened this issue Dec 11, 2023 · 0 comments · Fixed by #14338

Comments

@mgorsk1
Copy link
Contributor

mgorsk1 commented Dec 11, 2023
edited
Loading

Affected module
UI

Describe the bug
When creating a task (like request description) you can assign either user or a team/group/business unit to approve/decline it. The bug allows for a user to assign a team they are a part of to a task and subsequently self-approve it. It allows to bypass 4 eyes principle I think should be enforced in every scenario for task workflow.

To Reproduce

  • add user X to team Y
  • create a task 'request description' to a table and add Y team as approvers for this task
  • user X can now self-approve the request

Expected behavior

  • users can't self-approve if the request was assigned to users team. this enforces 4 eyes principle in every scenario.

Version:

  • OS: [e.g. iOS]
  • Python version:
  • OpenMetadata version: [e.g. 0.8]
  • OpenMetadata Ingestion package version: [e.g. openmetadata-ingestion[docker]==XYZ]

Additional context
Add any other context about the problem here.
@mgorsk1 mgorsk1 mentioned this issue Dec 11, 2023
Merged
9 tasks
chirag-madlani pushed a commit that referenced this issue Dec 12, 2023
@mgorsk1
fixes #14337: remove security gap in approval workflow (#14338)
b3ac8de 
* 🎉 Init

* 🐛 Fix variable responsible for creator

* 🐛 Fix variable responsible for creator

---------

Co-authored-by: at91mm <mariusz.gorski@ing.com>
MrVinegar pushed a commit to MrVinegar/OpenMetadata that referenced this issue Dec 15, 2023
@mgorsk1
fixes open-metadata#14337: remove security gap in approval workflow (o…
702388c 
…pen-metadata#14338)

* 🎉 Init

* 🐛 Fix variable responsible for creator

* 🐛 Fix variable responsible for creator

---------

Co-authored-by: at91mm <mariusz.gorski@ing.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fixes #14337: remove security gap in approval workflow mgorsk1/OpenMetadata
1 participant
@mgorsk1