In amorphic we have different set of permissions to access different components and features. This permissions are given to an amorphic role and user who have access to these role can use those features. This bug is relate to an issue that is users were able to call specific APIs and use those features in Amoprhic even if their role doesn't have the required permission.
Affected Versions: 2.6.1 and below
Fix Version: 2.7
Root cause(s)
Users were able to call few api endpoints with a role which doesn't have permission to call those endpoints. The APIs endpoints and requrired permissions to call these endpoint are
| API endpoint | Required permissions |
|---|---|
| /verticals | verticals.list, vertical.view, vertical.update |
| /datasets/{id}/dataloads | datasets.list, users.list, groups.list |
| /dr-information | systemhealth.view |
The users could call these endpoints even with a role which doesn't have above mentioned permissions.
Impact
Any users could call these endpoints mentions in Root cause(s) section with any role they have assigned to.
Mitigation
Fix will be available in Amorphic version 2.7.
Timeline
- 2024-08-29: Bug reported/identified (CLOUD-4917)
- 2024-08-29: Bug triaged
- 2024-09-01: Bug fixed
- 2024-09-27: Testing of fix is completed
- 2024-10-14: Amorphic version 2.7 released with the bugfix