Bug 1394283
| Summary: | [CFME 5.7 beta] Provisioning notifications are not RBAC-compliant with regard to group membership | |||
|---|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Peter McGowan <pmcgowan> | |
| Component: | Appliance | Assignee: | Šimon Lukašík <slukasik> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Shveta <sshveta> | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 5.7.0 | CC: | abellott, cpelland, dajohnso, jhardy, mkanoor, obarenbo, tfitzger | |
| Target Milestone: | GA | Keywords: | TestOnly | |
| Target Release: | 5.8.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | notification | |||
| Fixed In Version: | 5.8.0.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1397465 (view as bug list) | Environment: | ||
| Last Closed: | 2017-06-12 17:54:09 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | CFME Core | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1397465 | |||
|
Description
Peter McGowan
2016-11-11 14:57:59 UTC
I think this applies to more notifications then just those initiated from automate. Sending to appliance team to evaluate. New commit detected on ManageIQ/manageiq/euwe: https://github.com/ManageIQ/manageiq/commit/95b74a8a55fcbd5ebd93717eb58775b4c9ea211f commit 95b74a8a55fcbd5ebd93717eb58775b4c9ea211f Author: Gregg Tanzillo <gtanzill> AuthorDate: Tue Nov 22 08:51:42 2016 -0500 Commit: Oleg Barenboim <chessbyte> CommitDate: Tue Nov 22 10:13:49 2016 -0500 Merge pull request #12771 from isimluk/rhbz#1394283 Emit notifications only when user is authorized to see concerned object (cherry picked from commit 538b938dd4b81c5aff0347b9787da55622f97d3e) https://bugzilla.redhat.com/show_bug.cgi?id=1394283 app/models/notification.rb | 5 +++++ spec/lib/miq_automation_engine/miq_ae_service_spec.rb | 5 ++++- spec/models/notification_spec.rb | 13 +++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) To recreate : 1) Created a role with VM & Template Access Restriction of 'Only User or Group Owned' 2) Created two groups under same tenant with the above role 3) Created two users belonging to each group. 4) Login as user 1(shveta/redhat) and provision an amazon instance . 5) Neither user 1 nor user 2 get notification. 6) Changed the role to VM& template restriction = None , user can now see all notifications, new or earlier ones too . Appliance : https://10.8.198.161 Wow, nice find, Shveta! However, assuming everything else works as expected, I think this exception doesn't earn a `blocker` status. I think it could be solved in separate bz. Interestingly, the 5.7 version of this (bug 1397465) was verified. I searching what changed since then. This is currently blocked by other bug (set ownership not working for templates). That is however blocker by other bug in master (set ownership view broken by recent gtl refactoring). Checked again . Working as expected. Verified in 5.8.0.13-rc2.20170502165848_0f98658 |