Bug 1006978

Summary: Authenticated users are able to download consumer manifests that they don't own
Product: [Community] Candlepin Reporter: Chris Peters <chpeters>
Component: candlepinAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 0.9CC: dcrissman, dgoodwin, mmccune, tdeanton
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-19 13:30:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 972873    

Description Chris Peters 2013-09-11 15:49:39 UTC 
Description of problem:

Authenticated users are able to download any consumer manifests if they know the UUID of the consumer.

user: gss-test-1a
consumer uuid: ddf2dcf2-9414-4512-b3af-b2eb8830b58e

I am able to download this manifest as another user.

curl -v -H "cp-user: rhn-cservice-acarter" -X GET http://s03.candlepin.stage.ext.phx2.redhat.com:8080/candlepin/consumers/ddf2dcf2-9414-4512-b3af-b2eb8830b58e/export -o manifest.zip
Comment 1 William Poteat 2013-09-11 18:32:11 UTC 
All areas where consumer info is retrieved needs to be locked down. The user must be associated to the owner that the consumer belongs to.
Comment 3 Devan Goodwin 2013-12-19 13:30:44 UTC 
New permissions work is present in candlepin-0.8.34-1.

Will require work on IT side as per email's / demo's / discussion on how to use it. 

More info here:

https://fedorahosted.org/candlepin/wiki/AuthenticationAndAuthorization

This is not QE testable per se, closing as CURRENTRELEASE.