Bug 1017279

Summary: user without "Unassign Bundles From Group" is able to unassign bundles from group
Product: [JBoss] JBoss Operations Network Reporter: Armine Hovsepyan <ahovsepy>
Component: ProvisioningAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED NOTABUG QA Contact: Mike Foley <mfoley>
Severity: high Docs Contact:
Priority: unspecified    
Version: JON 3.2CC: mazz, mfoley
Target Milestone: ---   
Target Release: JON 3.2.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-09 15:16:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1006862    

Description Armine Hovsepyan 2013-10-09 14:39:09 UTC 
Description of problem:
user without "Unassign Bundles From Group" is able to unassign bundles from group

Version-Release number of selected component (if applicable):
jon 3.2 ER3

How reproducible:
always

Steps to Reproduce:
1. create a user "bundle" having role with "delete bundle from groups" and without having permission to "Unassign Bundles From Group"
2. log in as "bundle" user
3. navigate to Bundles 
4. Select a group having bundle assigned to it
5. unassign the bundle from group

Actual results:
bundle is unassigned

Expected results:
bundle cannot be unassigned - alert telling that no-permission granted to  unassign bundle should be shown


Additional info:
video recorded -> http://d.pr/v/K0Yp
Comment 1 John Mazzitelli 2013-10-09 15:16:45 UTC 
OK, after talking to Jay, this is expected behavior and not a bug.

See the docs here:

   https://docs.jboss.org/author/display/RHQ/Security+Model+for+Bundle+Provisioning#SecurityModelforBundleProvisioning-DeleteBundlesInGroup

where it says:

   "This permission allows any viewable bundle to be unassigned from bundle groups associated with the role."

So if you have the ability to delete bundles, that implies you can also unassign bundles, too.

The thought is that if you can delete you should be able to unassign because delete is more powerful than unassign. The same thing is true with "create in group" bundle permission and "assign to group" bundle permissions.