Bug 1213840
Summary: | RBAC: User able to modify catalog items when it has only access to view permission | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Aziza Karol <akarol> | ||||||
Component: | UI - OPS | Assignee: | Jozef Zigmund <jzigmund> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Aziza Karol <akarol> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 5.4.0 | CC: | hkataria, jhardy, jprause, mpovolny, obarenbo, simaishi | ||||||
Target Milestone: | GA | ||||||||
Target Release: | 5.6.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | rbac:service:catalog | ||||||||
Fixed In Version: | 5.6.0.2 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | |||||||||
: | 1291456 (view as bug list) | Environment: | |||||||
Last Closed: | 2016-06-29 14:54:02 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | |||||||||
Bug Blocks: | 1291456 | ||||||||
Attachments: |
|
Created attachment 1016817 [details]
snp1
Not sure why CFME Bot added that PR, because it's not related to the BZ. Related Pull Request is https://github.com/ManageIQ/manageiq/pull/3987 New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/2dfc3fbee7376844342e5fabaed8e809002d46fb commit 2dfc3fbee7376844342e5fabaed8e809002d46fb Author: Jozef Zigmund <jzigmund> AuthorDate: Tue Mar 15 17:00:53 2016 +0100 Commit: Jozef Zigmund <jzigmund> CommitDate: Thu Apr 7 15:47:58 2016 +0200 Hide toolbar Add/Edit actions in CatalogItem#show when user has view permission only https://bugzilla.redhat.com/show_bug.cgi?id=1213840 app/helpers/application_helper/toolbar_builder.rb | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) New commit detected on cfme/5.5.z: https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=637ab77aadae93ba54cbe4e47ee5c6edddbccfb3 commit 637ab77aadae93ba54cbe4e47ee5c6edddbccfb3 Author: Jozef Zigmund <jzigmund> AuthorDate: Tue Mar 15 17:00:53 2016 +0100 Commit: Jozef Zigmund <jzigmund> CommitDate: Mon Apr 18 16:04:56 2016 +0200 Hide toolbar Add/Edit actions in CatalogItem#show when user has view permission only https://bugzilla.redhat.com/show_bug.cgi?id=1213840 app/helpers/application_helper/toolbar_builder.rb | 27 +++++++++++++++++++++++ 1 file changed, 27 insertions(+) User unable to modify catalog items when it has only access to view permission. Verified:5.6.0.5-beta2.4.20160503153816_1fb554f Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1348 |
Created attachment 1016816 [details] product feature Description of problem: Version-Release number of selected component (if applicable): 5.4.0.0.22.20150420163946_26004d1 How reproducible: 100% Steps to Reproduce: 1. Create role, assign permissions for "Services", "Catalog Explorer", "Catalog Items", "View catalog Items" only 2.create a group and assign this role 3.create user with the above role 4. Log in as the user Actual results: User is able to add new button group, add new buttons etc when is has only view permission. see attached screenshots Expected results: user should only be able to view items Additional info: