When selecting a team, then viewing an inherited query on that team, the results list in the UI shows hosts that aren't on that team, despite the address bar etc. indicating that I'm scoped to that team.
This is distinct from #15146, as I'm authorized to view the query results (repro'd in Dogfood, where I have global admin), but I wouldn't expect them to show up when the UI indicates that I'm scoped to the team. Nor would @xpkoala, who first saw this when trying to repro #23465.
🧑💻 Steps to reproduce
As a global admin, set up a couple of teams, with at least one host on each.
Set up an all-teams scheduled query that returns at least one row per team (easier to spot if it returns one or more rows per host), and let the query run.
Nevigate to Queries, select one of the teams, then select the inherited query you just set up.
Observe that you see results from hosts on both the team you selected and the other team.
🕯️ More info
Looking at Dev Tools, we aren't sending anything to the API to ask for queries scoped by team ID. Looking at the API (query reports endpoint) and service call, we don't expose a way to explicitly filter query results by team either.
A workaround here is to create a user that only has permission to view a single team, then view query results from that user, thanks to #15146. But this issue isn't documented in the UI, nor is the workaround, so at the very least we need to call this out in the UI, and actually scoping the inherited queries properly is probably in order.
🛠️ To fix
Expose an optional query string parameter for the query report endpoint to filter query results by team (only show results for hosts that belong to that team), respecting access control constraints. Then use that query string parameter in /queries/{id}/team_id={team} in the UI.
Fleet version: 4.59.0
💥 Actual behavior
When selecting a team, then viewing an inherited query on that team, the results list in the UI shows hosts that aren't on that team, despite the address bar etc. indicating that I'm scoped to that team.
This is distinct from #15146, as I'm authorized to view the query results (repro'd in Dogfood, where I have global admin), but I wouldn't expect them to show up when the UI indicates that I'm scoped to the team. Nor would @xpkoala, who first saw this when trying to repro #23465.
🧑💻 Steps to reproduce
🕯️ More info
Looking at Dev Tools, we aren't sending anything to the API to ask for queries scoped by team ID. Looking at the API (query reports endpoint) and service call, we don't expose a way to explicitly filter query results by team either.
A workaround here is to create a user that only has permission to view a single team, then view query results from that user, thanks to #15146. But this issue isn't documented in the UI, nor is the workaround, so at the very least we need to call this out in the UI, and actually scoping the inherited queries properly is probably in order.
🛠️ To fix
Expose an optional query string parameter for the query report endpoint to filter query results by team (only show results for hosts that belong to that team), respecting access control constraints. Then use that query string parameter in
/queries/{id}/team_id={team}in the UI.