Bug 1297415

Summary: [RFE][L-8] Service dialogs created by the root tenant are not locked and can be modified or deleted by a child tenant.
Product: Red Hat CloudForms Management Engine Reporter: Nikhil Gupta <ngupta>
Component: ApplianceAssignee: Libor Pichler <lpichler>
Status: CLOSED CURRENTRELEASE QA Contact: Niyaz Akhtar Ansari <nansari>
Severity: high Docs Contact:
Priority: high    
Version: 5.5.0CC: abellott, asogukpi, cpelland, dajohnso, dmetzger, gtanzill, hhudgeon, jhardy, jocarter, kdixon, knoha, lpichler, mfeifer, obarenbo, simaishi, sshveta
Target Milestone: GAKeywords: FutureFeature, RFE, TestOnly, ZStream
Target Release: 5.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: service:dialog:cfme_tenant
Fixed In Version: 5.11.0.1 Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
: 1678450 (view as bug list) Environment:
Last Closed: 2019-12-13 15:16:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1480786, 1584677, 1678450    

Description Nikhil Gupta 2016-01-11 13:15:17 UTC 
Description of problem:
Service dialogs created by the root tenant are not locked and can be modified or deleted by a child tenant.

Version-Release number of selected component (if applicable):
5.5.0.13.20151201120956_653c0d4

How reproducible:
Always

Steps to Reproduce:
1. In Automation domain, create the service dialogs by root tenant.
2. Service dialogs created by root tenant are not locked for child tenants.

Actual results:
It can be modified or deleted by child tenant.

Expected results:
Child tenant should not be accessible to service dialogs created by root tenant.
Comment 22 Nikhil Gupta 2018-06-18 05:59:16 UTC 
Hi Team,

The subtenant can delete the service dialog created by another tenant from the different group. So this is not limited to root tenant.

Reproducing steps:

1. MyCompany/test1/Test1
2. MyCompany/test2/Test2
3. Create different groups for above tenant.
4. Create 2 Users(Test1 and Test2) for each of the above groups.
5. Login as Test1 user and create a service dialog(RHEL7).
6. Now, login as Test2 user and see RHEL7 service dialog is visible to this user as well. He can Edit, Copy and Delete this dialog. This should be restricted.

For customers, this is significant security problem when sharing a catalog.
Please try to fix this as soon as possible.

Regards,
Niks
Comment 32 CFME Bot 2018-11-15 13:12:49 UTC 
New commit detected on ManageIQ/manageiq-ui-classic/hammer:

https://github.com/ManageIQ/manageiq-ui-classic/commit/f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b
commit f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b
Author:     Milan Zázrivec <mzazrivec>
AuthorDate: Fri Nov  2 07:32:22 2018 -0400
Commit:     Milan Zázrivec <mzazrivec>
CommitDate: Fri Nov  2 07:32:22 2018 -0400

    Merge pull request #4782 from lpichler/allow_any_product_feature_for_customization

    Add any product product feature for Customization in menu

    (cherry picked from commit a3a9ce7b53273e19f44dc042b3fe3950c050686a)

    https://bugzilla.redhat.com/show_bug.cgi?id=1297415

 app/presenters/menu/default_menu.rb | 2 +-
 spec/presenters/menu/default_menu_spec.rb | 8 +
 2 files changed, 9 insertions(+), 1 deletion(-)
Comment 36 Niyaz Akhtar Ansari 2019-05-15 09:39:23 UTC 
Verified in Version 5.11.0.4.20190514210444_0c91ee1