Bug 1346352

Summary: On upgraded Satellite Viewer role user still can manage Content Views
Product: Red Hat Satellite Reporter: Lukas Pramuk <lpramuk>
Component: UpgradesAssignee: Zach Huntington-Meath <zhunting>
Status: CLOSED ERRATA QA Contact: Lukas Pramuk <lpramuk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: bbuckingham, daviddavis, ehelms
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/15460
Whiteboard:
Fixed In Version: rubygem-katello-3.0.0.53-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:42:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1335807    

Description Lukas Pramuk 2016-06-14 15:25:10 UTC 
Description of problem:
On upgraded Satellite Viewer role user still can manage Content Views.
as BZ 1341656 fixed only fresh Satellite installation.

With upgrades it's a bit tricky, the above fix avoids to modify existing roles filters as they can be already modified by Satellite admin. But still I would at least remove all perms that was wrongly matched on Sat6.1 as no one (read no customer) would expect/set Viewer role to have managing perms...

Version-Release number of selected component (if applicable):
Sat6.2.0-Snap15.1

How reproducible:
always

Steps to Reproduce:
1. Upgrade satellite
2. Prepare some content, some CVs under admin account
3. Create a user with just Viewer role assigned
4. Login as viewer user and navigate to Content -> Content Views
5. Have a "good play" with admin content

Actual results:
wrongly assigned perms to Viewer role from Sat6.1 still persists on Sat6.2

Expected results:
wrongly assigned perms to Viewer role dont persist on Sat6.2

Additional info:
can be workarounded: remove all filters that dont match "^view_*" from Viewer role.
Comment 2 Zach Huntington-Meath 2016-06-20 00:12:33 UTC 
Created redmine issue http://projects.theforeman.org/issues/15460 from this bug
Comment 3 Brad Buckingham 2016-06-21 15:08:25 UTC 
Moving to assigned based on existence of PR.
Comment 4 Brad Buckingham 2016-06-24 19:27:07 UTC 
Moving to POST since upstream PR has been merged.
Comment 5 Lukas Pramuk 2016-07-12 11:07:38 UTC 
VERIFIED.

@satellite-6.2.0-19.1.el6sat.noarch
tfm-rubygem-katello-3.0.0.58-1.el6sat.noarch

used manual reproducer in comment #0

>>> viewer role user is no longer able to manage content-views even on upgraded Satellite
Comment 6 Bryan Kearney 2016-07-27 11:42:49 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501