Bug 1401250

Summary: A tenant should not be able to delte other tenants service dialogs
Product: Red Hat CloudForms Management Engine Reporter: ldomb
Component: -- UnknownAssignee: John Hardy <jhardy>
Status: CLOSED WONTFIX QA Contact: Dave Johnson <dajohnso>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6.0CC: jhardy, kmorey, ldomb, nstephan, obarenbo
Target Milestone: GA   
Target Release: cfme-future   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-20 11:54:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ldomb 2016-12-04 00:14:29 UTC 
Description of problem:

A tenant with superadmin can delete another tenants service dialogs without being part of the tenant.

Version-Release number of selected component (if applicable):
5.6.3.3.20161128141841_49d925b

How reproducible:


Steps to Reproduce:
1. Create tenant1 and tenant2. 
2. Create a project under tenant1 or tenant2
3. Create a group and add role superadmin
4. Create a user and add it to the group.
5. Login with the newly created user from tenant1 and create a service dialog
6. Login with the newly created user from tenant2 and delete the dialog.

Actual results:

Tenant 2 can delete tenant1's dialog even if he does not own it.

Expected results:
Tenant 2 should not see tenant1's dialogs. Tenant2 should not be able to delete tenant 1's dialogs. 

Additional info:
Comment 2 Dave Johnson 2016-12-06 16:51:33 UTC 
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.
Comment 3 Josh Carter 2018-09-20 11:54:45 UTC 
Bug Closure

Dear customer, 

The CloudForms team is reviewing the current CloudForms Bug(defect) backlog in order to target engineering efforts. We are closing any bugs for versions that no longer have an active errata stream or that have hit their age limit. We are committing to better management of the backlog as we move forward. If you have an bug that you are still able to reproduce on a current version of CloudForms please open a new bug. 

If you have any concerns about this, please let us know.

Thanks and regards!