[#9662] - A non-administrative user can access everybodys schedules

Category:
Bug report
Priority:
High
Status:
Resolved
Project: Severity:
Major
Resolution:
Open
Component: Reproducibility:
Always
Assigned to:
0

A non-administrative user accessing the URL http://host:port/jasperserver/scheduler/main.html exposes all scheduled jobs, allowing any final user to delete or disable the jobs created by any other user. It's possible even to delete or disable jobs related to reports that the user doesn't have access according to his roles. Which seems a rather large security issue.

v6.3.0
Schedules

There had been an early post in September 2016 for the same Issue on v6.2 and a response that said it would be fixed in the next release. I'm guessing this didn't happen as we still have the same issue in v6.3 & I couldn't see it mentioned in the known issues.

v6.3.0
robin_6's picture
Joined: Jan 5 2017 - 11:03pm
Last seen: 2 months 4 weeks ago

2 Comments:

#1

Hi,

This issue has been addressed by engineering team and it should be fixed in the latest v6.4 (both CE and PRO).

#2
  • Status:New» Resolved

Thanks, I have downloaded and installed v6.4 and I can confirm that this has resolved the issue. Much appreciated.

Feedback
randomness