Bug 1297415
Summary: | [RFE][L-8] Service dialogs created by the root tenant are not locked and can be modified or deleted by a child tenant. | |||
---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Nikhil Gupta <ngupta> | |
Component: | Appliance | Assignee: | Libor Pichler <lpichler> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Niyaz Akhtar Ansari <nansari> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 5.5.0 | CC: | abellott, asogukpi, cpelland, dajohnso, dmetzger, gtanzill, hhudgeon, jhardy, jocarter, kdixon, knoha, lpichler, mfeifer, obarenbo, simaishi, sshveta | |
Target Milestone: | GA | Keywords: | FutureFeature, RFE, TestOnly, ZStream | |
Target Release: | 5.11.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | service:dialog:cfme_tenant | |||
Fixed In Version: | 5.11.0.1 | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1678450 (view as bug list) | Environment: | ||
Last Closed: | 2019-12-13 15:16:59 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | Bug | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | CFME Core | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1480786, 1584677, 1678450 |
Description
Nikhil Gupta
2016-01-11 13:15:17 UTC
Hi Team, The subtenant can delete the service dialog created by another tenant from the different group. So this is not limited to root tenant. Reproducing steps: 1. MyCompany/test1/Test1 2. MyCompany/test2/Test2 3. Create different groups for above tenant. 4. Create 2 Users(Test1 and Test2) for each of the above groups. 5. Login as Test1 user and create a service dialog(RHEL7). 6. Now, login as Test2 user and see RHEL7 service dialog is visible to this user as well. He can Edit, Copy and Delete this dialog. This should be restricted. For customers, this is significant security problem when sharing a catalog. Please try to fix this as soon as possible. Regards, Niks New commit detected on ManageIQ/manageiq-ui-classic/hammer: https://github.com/ManageIQ/manageiq-ui-classic/commit/f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b commit f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b Author: Milan Zázrivec <mzazrivec> AuthorDate: Fri Nov 2 07:32:22 2018 -0400 Commit: Milan Zázrivec <mzazrivec> CommitDate: Fri Nov 2 07:32:22 2018 -0400 Merge pull request #4782 from lpichler/allow_any_product_feature_for_customization Add any product product feature for Customization in menu (cherry picked from commit a3a9ce7b53273e19f44dc042b3fe3950c050686a) https://bugzilla.redhat.com/show_bug.cgi?id=1297415 app/presenters/menu/default_menu.rb | 2 +- spec/presenters/menu/default_menu_spec.rb | 8 + 2 files changed, 9 insertions(+), 1 deletion(-) Verified in Version 5.11.0.4.20190514210444_0c91ee1 |