3.1.0 - Admin Page Only Allows Stopping Of Own Apps

[nik-humphries]

When using the admin page to stop an application, if the application was started by another user, it is not possible to stop it. A 403 on the API is returned.

Received invalid response (not 200 OK)  
Response {type: 'basic', url: 'https://xxx/ap…proxy/018cc2ab-348d-4765-bff5-9f1e0744f31a/status', redirected: false, status: 403, ok: false, …}

When closing your own applications, it works fine. Is this due to a change in authenticating against the API? Everything was working fine in 3.0.2, but no longer in 3.1.0.

I haven't changed the admincontroller I have added bootstrap to the html page

    <link media="screen" rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css" />
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/js/bootstrap.bundle.min.js"></script>
    <link rel="stylesheet" th:href="@{/assets/css/navbar.css}"/>
    <link rel="stylesheet" th:href="@{/assets/css/index.css}" />

The admin role is admins

In browser I am able to navigate via https://xxx/api/proxy/e97e7bba-384c-454f-b5c8-d3fef1138974/status but the PUT request 403's.

I can see that there doesn't appear to be a difference between the 2 requests in terms of cookies or auth headers, as they are both passing the session cookie.

Also to note we are using B2C / openid

Going to investigate some more.

[LEDfan]

Hi, thanks a lot for reporting this! This is a bug in the 3.1.0 release, we improved authorization in this release, but made it too strict for this part. We'll fix this soon and provide a snapshot version.

[LEDfan]

We just released ShinyProxy 3.1.1 that fixes this, therefore I'm going to close this issue. Thanks again for reporting this.