hostlist API must respect ACL when grouping

Question

hostlist API must respect ACL when grouping

Closed this issue 6 years ago · 2 comments

Seems like it might be easier if the ACL was in a database table, so queries could JOIN against it. Consider it before implementing anything. It would affect how LIMIT/OFFSET is done.

Edit: Putting the ACL in the database has been considered, and will be solved at a later time. The issue for that is #67.

Answer 1 · 2018-12-10T16:04:04.000Z

Make a unit test that detects this bug

Answer 2 · 2018-12-11T20:57:56.000Z

Can be easily solved in api_hostlist.go at line 364, pseudocode:

If not admin:
WHERE ... AND certfp IN ( all the certs from the accessprofile )