Bug 1102315
| Summary: | As a readonly user, I should not be able to edit any entity through the API or UI. | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Eric Helms <ehelms> |
| Component: | Content Management | Assignee: | Walden Raines <walden> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | sthirugn <sthirugn> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0.3 | CC: | bkearney, cwelton, jmontleo, mmccune, sthirugn |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://projects.theforeman.org/issues/5503 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Release Note | |
| Doc Text: |
Red Hat Satellite 6 will deliver with a read only role. If users test this, and find places where they could actually modify data, they are asked to raise a support request and report the issue.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-09-11 12:24:34 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Eric Helms
2014-05-28 18:10:45 UTC
Created from redmine issue http://projects.theforeman.org/issues/5503 Upstream bug assigned to walden commit f4129016e3ba33aa493d5209584f3b443362dbea
Merge: c36f6f6 8332883
Author: Walden Raines <walden>
Date: Wed Jun 18 15:19:37 2014 -0400
Merge pull request #4226 from waldenraines/5503
Fixes #5503/BZ1102315 - restrict UI interactions to actual permissions in Bastion.
commit 83328836519a9ae1068ccf27b9a481f2457384c7
Author: Walden Raines <walden>
Date: Tue Jun 3 14:18:29 2014 -0400
Fixes #5503/BZ1102315 - restrict UI interactions to actual permissions.
Verified.
Used a Viewer role to test this bug
- In UI - all pages are visible but not editable
- In API - tested few api calls to edit objects and they returned Access denied
#1:
# curl -s -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword -d '{"type":"system", "facts":{"release":"6Server", "architecture":"x86_64"}, "host_colletion_id":{}, "organization_id":3, "description":"Initial Registration Parameters:\nOS: redhat-release-server\nRelease: 6Server\nCPU Arch: x86_64\nsat5_system_id: 1000020000", "name":"mysytem-123.example.com"}' https://host.redhat.com/katello/api/systems
{"message":"Access denied","details":null}
#2:
curl -s -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword -d '{"name":"testorgapi"}' https://host.redhat.com/katello/api/organizations
{
"error": {"message":"Access denied","details":null}
#3:
curl -X POST -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword -d '{"organization_id":"3", "name":"testakapi"}' https://host.redhat.com/katello/api/activation_keys
{"message":"Access denied","details":null}
Version Tested:
GA Snap 4 - Satellite-6.0.4-RHEL-6-20140806.0
* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.38-1.el6sat.noarch
* foreman-compute-1.6.0.38-1.el6sat.noarch
* foreman-gce-1.6.0.38-1.el6sat.noarch
* foreman-libvirt-1.6.0.38-1.el6sat.noarch
* foreman-ovirt-1.6.0.38-1.el6sat.noarch
* foreman-postgresql-1.6.0.38-1.el6sat.noarch
* foreman-proxy-1.6.0.23-1.el6sat.noarch
* foreman-selinux-1.6.0.4-1.el6sat.noarch
* foreman-vmware-1.6.0.38-1.el6sat.noarch
* katello-1.5.0-28.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.57-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* sssd-ldap-1.11.5.1-3.el6.x86_64
This was delivered with Satellite 6.0 which was released on 10 September 2014. |