Re: admin user access admin page, not config page, posted by Garret Delaronde on Fri May 10 17:37:24 2013
|
| Szu-Ching Peckner wrote: |
|
We have multiple logbooks. Each user is admin user for his/her own logbook.
I want user be able to modify config file, but no access to user setting, such as see user list, change password, new user, remove user.
[logbook1]
Admin user = user1
Login user = user1, user2
Allow Config = user1
List Menu commands = Admin, Config
user1 click on Admin, it opens config file, when user1 click on save, user1 is brought to Config page, which has select user list on top, Change password, Remove user, New user buttons on bottom. Is there a way that admin user has access to config file, but no access to user info at all (not even presented to them). Is there a way after user1 click save, page doesn't go to that config page?
I could put
Deny Change password =
Deny Remove user
Deny New user
so when user1 click on those buttons, user1 will get command not allowed. However I would rather have user1 not even see that page.
|
If they have admin rights, the add user button cannot be removed as far as I know.
But even if they can add a user, they only have ability to add a user to the single logbook they are an admin on so they wouldn't be able to add users to other peoples logbooks.
Not sure it helps but that's about all I can really speak to. |
ROptions value changed in the edit page, posted by Gabriele Sirri on Wed Apr 15 11:43:14 2009
|
When ROptions items contain the same substring and this substring is also an ROptions item (ex: notdone,
done), the value of the entry could change in the edit page.
It depends on the item order in the config file.
If Options is used (instead of ROptions), it works as expected.
Is it a bug?
Examples :
#Insert "notdone" as new entry. When you try to edit the entry, the displayed value is "done".
[test_bad]
Attributes = Author, Category
ROptions Category = notdone, done
#No problem if you change the item order
[test_good]
Attributes = Author, Category
ROptions Category = done, notdone |
|
"Collapse to last = 1" problem when reply twice to the same entry, posted by Gabriele Sirri on Sat Oct 24 01:10:24 2009
|
Hello.
Please look at the entry 66525 of this forum (just 5 thread before this one):
-> chain.crt, posted by Gerhard Schneider on Thu Sep 3 21:55:52 2009 (66525)
|-> Re: chain.crt, posted by Stefan Ritt on Fri Sep 4 08:33:16 2009 (66526)
|-> Re: chain.crt, posted by Gerhard Schneider on Wed Oct 7 07:56:52 2009 (66556)
When you collapse the thread, it is collapsed to the 66526 instead of the 66556 (more recent)
+ Re: chain.crt, posted by Stefan Ritt on Fri Sep 4 08:33:16 2009
I guess it is because both 66526 and 66556 replies to the first entry.
I have the same problem with Elog v2.7.7-2246 and Windows.
In general, it seems to work well only if you always reply to the last entry of a thread.
Thank you.
b.t.w. : is there any tip to always force reply to the last entry of a thread? |
Collapse to Last and Quick Filter , posted by Gabriele Sirri on Sat Jan 2 01:34:57 2010 
|
Hello,
I feel that the filter result could be confusing and unexpected when "COLLAPSE TO LAST" is enabled: you
filter the first entry but you show the last one. What is filtered doesn't correspond with what is shown (look
the attached example).
I suggest to implement an option to let the user decide which entry (first or last) should be retrieved for
filtering (a tentative patch is attached).
Thank you
Gabriele
P.S. A similar behaviour occurs when you sort the logbook: it could appear as not sorted because you sort the
first entry but the last one is shown. |
|
Re: Collapse to Last and Quick Filter , posted by Gabriele Sirri on Mon Jan 18 02:13:19 2010
|
Hello,
I gave it a try using the svn version n. 2283 (12 Jan 2010). The threaded display can be collapsed only if you don't
apply any sorting. In the latter case, if you sort in some way ( with "Sort Attributes =" or "sort=" in the url), the
thread cannot be collapsed anymore.
Also if I apply any filter from the quick filter bar, I cannot collapse the thread anymore (also without sorting).
As example, these are the numbers of entries I obtain with my logbook :
http://localhost:8080/mylogbook/?mode=threaded&expand=0 => 75 entries (OK)
http://localhost:8080/mylogbook/?mode=threaded&expand=0&sort=EventID => 445 entries (WRONG it should collapsed)
http://localhost:8080/mylogbook/?mode=threaded&expand=0&Interaction=nuCC => 335 entries
However (considering the bug fixed for the collapsed thread display), breaking the thread is not a confortable solution.
I choose to show the logbook in the threaded mode, because I'm interested in grouping the entries in threads.
In my opinion, this feature is good (and it is my favourite) and should be preserved despite any sorting or filtering.
This is why I suggest to ask to the user which entries (first or last) better applies for sorting and filtering.
Ciao
Gabriele
> You are absolutely right. When doing filtering, entries shown or not shown have not much to do with the filter.
> Rather than messing around with first and last entries, I decided to break apart threads completely when doing
> filtering, so the entries are treated as individual entries, just like what you do when filtering in summary mode.
> This gives then consistent filtering results. The modification is done in revision 2282. |
|
Re: quick filter, posted by Gabriele Sirri on Mon Jan 18 02:14:01 2010
|
| Stefan Ritt wrote: |
|
| deletoille wrote: |
|
| Stefan Ritt wrote: |
|
| deletoille wrote: |
|
Hello,
We would like to use more the quick filter command on attributes.
On the other hand, when we use it, the result does not displaying entries which are in answer of another attribute. Is there a command which allow that possibility like when we select display full entries in the search mode?
Thanks in advance
Xavier
|
I don't understand your questions. Can you please give an example.
|
Sorry for my english. In fact, i found the answer by myself. But I ll explain to you.
in attachement 1, a small part of our ELOG. When I choose FBT in the quick filter "groupe incriminé". Elog respond that there is no entrie found (attachement 2)
But, with the find function, when i select display full entries and FBT in "groupe incriminé", Elog show the entrie ( attachement 3).
I found the answer. In fact, Elog respond no entrie when threaded is selected. I have to choose Full or summary for that working.
sorry
Xavier
|
Actually what you report is a bug. The filtering does not work in threaded display mode, only in summary and full. I fixed that bug in the current SVN version, so if you download and compile it, you can give it a try. The fix will be contained in the next official release.
|
Hello,
I gave it a try. See: https://midas.psi.ch/elogs/Forum/66690
Gabriele
|
|
Re: Path disclosure on unfound file, posted by Gabriel Lopez on Wed Feb 3 17:28:16 2021
|
Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2
| Stefan Ritt wrote: |
|
Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|
|
Re: Path disclosure on unfound file, posted by Gabriel Lopez on Fri Feb 19 19:48:11 2021
|
Thank you for your work. Works like a charm!
| Stefan Ritt wrote: |
|
I made a new RPM: https://elog.psi.ch/elog/download/RPMS/elog-3.1.4-3.el7.x86_64.rpm
| Gabriel Lopez wrote: |
|
Hello, This is coming up as a high vulnerability in our scans. Are there plans to update the rpm for this fix? If so is there an ETA? Any update would be much appreciated. Currently running elog-3.1.4-2
| Stefan Ritt wrote: |
|
Ok, I fixed the code in the current commit (395e101add19f0fe8a11a25d0822e511f34d94d1). The path gets stripped, and we see a
| prinnydood wrote: |
|
I can confirm this issue exists on version 3.1.3, which I have installed elog on Debian 10.
The issue also exists on version 3.14 (1.20190113git283534d97d5a.el7), which I tested on an AmazonLinux EC2 instance.
This is what I found:
1. if I leave out the extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish
2. if I include any random extension at the end of the URL for a non-existent page, it gives me the red error box. So far so good... Example: /gibberish.php or /gibberish.htm or /gibberish.asdfasd
3. if I include any .html extension specifically at the end of the URL for a non-existent page, elog exposes the path /usr/share/elog/themes/default/gibberish.html. This is a bug... Example: /gibberish.html exposes the path, and likewise, /.gibberish.html ( "dot" + gibberish) exposes the path
4. if I include a valid, existent .html file which is located in the directory /usr/share/elog/themes/default/, and call it, elog exposes the html document. Example: I created an html file called gibberish.html (containing <html><body><p>Hello world</p></body></html>) in my system's /usr/share/elog/themes/default/ directory. After navigating back to the /gibberish.html URL, I was presented with the HTML file.
Turning on -v (verbose mode), the response by elogd when accessing these are: "GET /elog/gibberish.html HTTP/1.0 Returned 605 bytes" (displays "Hello world" html file), and "GET /elog/gibberish.asdfasd HTTP/1.0 Returned 605 bytes" (displays red error box).
=====
My guess: the program seems to be caring about the files ONLY if they have html file extension. Please see the screenshots below.
====
What are the security implications? Not much, I think. From what I can tell, exposing the "/usr/share/themes/elog" path, and also exposing the elog version when the file does not exist. Hope this reply helps anyone else with the same question.
(I am sure the error exposing the version can be removed by editing the source code--this is probably beyond my capabilities at this point).
|
|
|
|
|
|