User Request
Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: afbe376f-31d0-4e74-b145-7b54791fa348
Description
What happened:
In pkg/api/handlers/sse.go:417, the cache key is cfg.demoKey + ":" + cl.Name + ":" + cfg.namespace with no user identity component. An admin and a viewer querying the same resource type, cluster, and namespace share the same cache entry. Whichever user hits first populates the cache; subsequent users get that result regardless of their permissions.
What I expected:
The cache key should include the user ID or a hash of their role/permissions to prevent cross-user data leakage.
Steps to reproduce:
- Have an admin query pods in namespace "default" on cluster "prod"
- Have a viewer (restricted to "default") query the same endpoint
- Observe the viewer receives the admin's cached result including resources outside their permissions
This issue was automatically created from the KubeStellar Console.
User Request
Type: bug
Target: Console Application
Submitted by: @aashu2006
Console Request ID: afbe376f-31d0-4e74-b145-7b54791fa348
Description
What happened:
In
pkg/api/handlers/sse.go:417, the cache key iscfg.demoKey + ":" + cl.Name + ":" + cfg.namespacewith no user identity component. An admin and a viewer querying the same resource type, cluster, and namespace share the same cache entry. Whichever user hits first populates the cache; subsequent users get that result regardless of their permissions.What I expected:
The cache key should include the user ID or a hash of their role/permissions to prevent cross-user data leakage.
Steps to reproduce:
This issue was automatically created from the KubeStellar Console.