Lock and rights do not affect on scheduled actions. security bug

Even if vm is locked, or owner currently has no rights to manage/admin or even use(by lock) the VM, user can schedule action, e.g. resume, and turn his vm on.

Steps:

  • Lock VM
  • login as user
  • schedule action, like resume
  • wait
  • vm is going to be resumed
    Expected: nothing should happen or/and action should have message, like cannot resume vm, because it’s locked/user has no rights [manage]

Hello @slnt_opp

Could you please open an issue in our GitHub with the detailed information?

Thanks!

Best,
Álex

Hello @slnt_opp,
which opennebula version do you use? (On command line you can check it with ‘oned --version’)

I just tested it with 5.10.0 and 5.10.4 and it works correctly, the schedule action fails.

We’re using 5.8.5. Unfortunately i can’t update to 5.10 now

Done