Bug 1317868

Summary: Unauthorized user can remove host parameter
Product: Red Hat Satellite Reporter: Kenny Tordeurs <ktordeur>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: high    
Version: 6.1.7CC: abalakht, bkearney, jcallaha, mhulan, sbream, thomas.betrancourt
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-26 12:25:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
role_filters
none
host_parameters
none
host_parameters_postfix none

Description Kenny Tordeurs 2016-03-15 12:00:37 UTC 
Created attachment 1136564 [details]
role_filters

Description of problem:
Defined a Role which allows user to Edit host information (organization, host group, etc...).

On "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Version-Release number of selected component (if applicable):
Satellite 6.1.7

How reproducible:
100%

Steps to Reproduce:
1. Defined a Role which allows user to Edit host information (organization, host group, etc...).
2. Go to a host and go to the "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Actual results:
Able to remove a parameter from a host.

Expected results:
Deny removing parameter and remove the "Remove parameter" button from the page

Additional info:
Comment 1 Kenny Tordeurs 2016-03-15 12:01:03 UTC 
Created attachment 1136565 [details]
host_parameters
Comment 5 Marek Hulan 2016-08-15 11:18:44 UTC 
I can't reproduce on 6.2.0, you need a filter for resource Parameter and a permission called "destroy_params" to see the cross next to remove.
Comment 6 Peter Ondrejka 2016-10-10 13:37:23 UTC 
Comment #5 confirmed on satellite-6.2.3-1.0, not possible to delete, however I wonder why display the "remove" string (see attachment) if it can't do anything? I suppose empty space under Actions would be more user-friendly.
Comment 7 Peter Ondrejka 2016-10-10 13:38:33 UTC 
Created attachment 1208875 [details]
host_parameters_postfix
Comment 8 Marek Hulan 2016-10-12 09:53:55 UTC 
Peter, we tend to display actions that are not allowed so it's less confusing for user why sometimes see the link and sometimes now (e.g. if in one table they can see 2 params but can only delete one of them because of granular filter). If user does not have destroy permission for any parameter, the "destroy" is hidden for all of them. In this case it might be more confusing so if you feel this is a bug, we can probably hide it completely. Since this is already ON_QA, I'd suggest reporting a new BZ for that.
Comment 9 Peter Ondrejka 2016-10-12 11:22:30 UTC 
OK, if this is a policy and not some forgotten element, than be it. Moving to verified as per comment 6.
Comment 10 Marek Hulan 2016-10-12 12:31:29 UTC 
We have helpers for both, so it's a matter of specific page really.
Comment 12 errata-xmlrpc 2016-10-26 12:25:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108