Bug 1375713

Summary: CloudForms 4.1 Child tenant user able to delete catalog Item from parent tenant user in UI
Product: Red Hat CloudForms Management Engine Reporter: myoder
Component: ApplianceAssignee: Joe Rafaniello <jrafanie>
Status: CLOSED WONTFIX QA Contact: Pavol Kotvan <pakotvan>
Severity: medium Docs Contact:
Priority: high    
Version: 5.6.0CC: abellott, bascar, gtanzill, jhardy, jocarter, jrafanie, mfeifer, obarenbo, rspagnol
Target Milestone: GA   
Target Release: 5.11.0   
Hardware: All   
OS: All   
Whiteboard: catalog:tenant
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-08-01 14:13:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: Bug
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:

Description myoder 2016-09-13 20:00:32 UTC 
Description of problem: A user with the child tenant role, is able to delete/edit a catalog item created by an admin user attached to a parent tenant within the web UI.


Version-Release number of selected component (if applicable): CloudForms 4.1


How reproducible: Always


Steps to Reproduce:
1. Create a catalog item with admin user attached to the parent tenant
2. Create a new user as a child tenant with an admin role.
3. Have the user attached to the child tenant delete the catalog item created by the admin.

Actual results: Child tenant user is allowed to edit/remove the catalog item.


Expected results: Child tenant should not have access to edit/remove the catalog of the parent tenant.


Additional info:
Comment 5 Marianne Feifer 2017-10-03 18:20:28 UTC 
John, Looks like there was a needinfo for you way back. Not sure where this stands.
Comment 6 Marianne Feifer 2017-10-03 18:20:29 UTC 
John, Looks like there was a needinfo for you way back. Not sure where this stands.
Comment 8 Joe Rafaniello 2018-07-31 17:15:12 UTC 
I believe this is by design:

'ServiceTemplate'        => :ancestor_ids,

https://github.com/ManageIQ/manageiq/blob/2a66cb59e26816c7296896620b5b7731b350943d/lib/rbac/filterer.rb#L114

You're able to see Catalog items of parent and ancestor tenants.  If your role has permission to modify catalog items / delete them, and you can to see ones from ancestor tenants, then you can delete them.

Brad, is this still the desired functionality?