Bug 1284475

Summary: Filter with permission edit_config_groups is not actually limited by search expression
Product: Red Hat Satellite Reporter: Shimon Shtein <sshtein>
Component: Users & RolesAssignee: Marek Hulan <mhulan>
Status: CLOSED ERRATA QA Contact: Tazim Kolhar <tkolhar>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.4CC: bbuckingham, bkearney, chpeters, cwelton, daobrien, tkolhar
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/9506
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Editing config groups did not respect permission filters. These filters are now respected.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 07:42:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Shimon Shtein 2015-11-23 12:40:40 UTC
I try to restrict access to specific config groups for a specific user. The new role should be able to filter the available config groups through their names. Therefore this user should not be able to change production relevant config groups.
I would need to use this feature in a real world DevOps scenario.

- create a new role and add filter 1 for host class permissions.
- select items "edit_classes" for filter 1.
- create filter 2 with config group permissions.
- select items "view_config_groups" and "edit_config_groups" for filter 2.
- uncheck unlimited checkbox for filter 2.
- enter search expression into search textbox like "name !=  production-apache" for filter 2.
- associate the role with restricted user.
- create config group with a name like "production-apache"
- login with the restricted user.
- on the menu go to configure - config groups.

expected result -> the user should not be able to view or edit config groups with the string "production" in their names.
actual problem -> the user is allowed to view and edit all config groups, even ones with matching names to the exclusion search expression.

Thanks for your attention,
Roland

Comment 1 Shimon Shtein 2015-11-23 12:40:42 UTC
Created from redmine issue http://projects.theforeman.org/issues/9506

Comment 4 Bryan Kearney 2015-11-23 13:02:27 UTC
Upstream bug assigned to mhulan

Comment 5 Bryan Kearney 2015-11-23 13:02:28 UTC
Upstream bug component is Users & Roles

Comment 8 Tazim Kolhar 2016-01-05 11:49:50 UTC
VERIFIED:
# rpm -qa | grep foreman
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-client-1.0-1.noarch
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch
puppet-foreman_scap_client-0.3.3-10.el7sat.noarch
foreman-vmware-1.7.2.50-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.5-1.el7sat.noarch
foreman-ovirt-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.9-1.el7sat.noarch
foreman-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_docker-1.2.0.24-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.15.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.7-1.el7sat.noarch
rubygem-hammer_cli_foreman_docker-0.0.3.10-1.el7sat.noarch
foreman-debug-1.7.2.50-1.el7sat.noarch
foreman-proxy-1.7.2.8-1.el7sat.noarch
dell-pe1950-05.rhts.eng.brq.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-discovery-image-3.0.5-3.el7sat.noarch
foreman-libvirt-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman_openscap-0.3.2.10-1.el7sat.noarch
foreman-gce-1.7.2.50-1.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.15-1.el7sat.noarch
ruby193-rubygem-foreman_discovery-2.0.0.23-1.el7sat.noarch
foreman-selinux-1.7.2.17-1.el7sat.noarch
foreman-postgresql-1.7.2.50-1.el7sat.noarch
foreman-compute-1.7.2.50-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.2.4-1.el7sat.noarch
rubygem-hammer_cli_foreman_discovery-0.0.1.10-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.14-1.el7sat.noarch

steps:

- create a new role and add filter 1 for host class permissions.
- select items "edit_classes" for filter 1.
- create filter 2 with config group permissions.
- select items "view_config_groups" and "edit_config_groups" for filter 2.
- uncheck unlimited checkbox for filter 2.
- enter search expression into search textbox like "name !=  production-apache" for filter 2.
- associate the role with restricted user.
- create config group with a name like "production-apache"
- login with the restricted user.
- on the menu go to configure - config groups.

the user is not be able to view or edit config groups with the string "production" in their names.

Comment 11 errata-xmlrpc 2016-01-21 07:42:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0052