Bug 1410929

Summary: Should not be able to create a product that does not match my permissions
Product: Red Hat Satellite Reporter: Stuart Auchterlonie <sauchter>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.6CC: dhlavacd, mhulan
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-09 09:48:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1316897    

Description Stuart Auchterlonie 2017-01-06 21:13:09 UTC 
Description of problem:

A user with limited permissions can create a product with any
name, even one that does not match the search filter

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

# hammer -u admin -p redhat role filters --id=22
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH                                                          | UNLIMITED? | ROLE    | PERMISSIONS                                                                     
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
167 | Katello::Product        | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
168 | Katello::System         | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_content_hosts, edit_content_hosts                                          
169 | Katello::ContentView    | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
170 | Host                    | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_hosts, edit_hosts                                                          
171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA"                       | no         | Limited | view_host_collections, edit_host_collections                                    
172 | JobInvocation           | none                                                            | yes        | Limited | create_job_invocations, view_job_invocations                                    
173 | Katello::KTEnvironment  | name ~ Dev || name ~ QA                                         | no         | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
174 | Katello::ActivationKey  | name ~ ak_test                                                  | no         | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
176 | Organization            | none                                                            | yes        | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Login to the web ui as the limited user (with the above role)
and create a product with a name that doesn't match the search
filter. (ie. wedgie). 


Actual results:

This product (step #2) is then created, but the limited
user cannot remove it, since it doesn't match the filter.

Expected results:

The user cannot create the product with a name that does
not match the search filter

Additional info:
Comment 3 Marek Hulan 2017-01-09 09:48:43 UTC 
I think this is a consequence of bz 1384035 so I'm marking it as a duplicate. If I misunderstood, please reopen. I'd also suggest linking the case and additional comments there. Thank you.

*** This bug has been marked as a duplicate of bug 1384035 ***