Bug 1436209

Summary: Should only be able to add repositories you have access to
Product: Red Hat Satellite Reporter: Djebran Lezzoum <dlezzoum>
Component: RepositoriesAssignee: Jonathon Turel <jturel>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.3.0CC: bbuckingham, dhlavacd, katello-qa-list, sauchter, tstrachota
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1410916 Environment:
Last Closed: 2018-04-06 13:01:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1410916    
Bug Blocks: 1316897    

Description Djebran Lezzoum 2017-03-27 12:52:51 UTC 
+++ This bug was initially created as a clone of Bug #1410916 +++

Description of problem:

When using a user with restricted rights I can add repositories
that I should not be allowed to.

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

# hammer -u admin -p redhat role filters --id=22
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH                                                          | UNLIMITED? | ROLE    | PERMISSIONS                                                                     
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
167 | Katello::Product        | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
168 | Katello::System         | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_content_hosts, edit_content_hosts                                          
169 | Katello::ContentView    | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
170 | Host                    | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_hosts, edit_hosts                                                          
171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA"                       | no         | Limited | view_host_collections, edit_host_collections                                    
172 | JobInvocation           | none                                                            | yes        | Limited | create_job_invocations, view_job_invocations                                    
173 | Katello::KTEnvironment  | name ~ Dev || name ~ QA                                         | no         | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
174 | Katello::ActivationKey  | name ~ ak_test                                                  | no         | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
176 | Organization            | none                                                            | yes        | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Identify a repo which does not meet the above filter

# hammer -u admin -p redhat repository list | grep ^4
4   | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum          | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os     

3. Verify the user cannot see it

# hammer -u limited -p redhat repository list | grep ^4
<no output> as this repository doesn't match the search filter

4. Add the repository to the content view

# hammer -u limited -p redhat content-view add-repository --repository-id=4 --name Test_A_QA --organization ACME
The repository has been associated

Actual results:

Step 4 succeeds in adding a repository that doesn't match the search filter

Expected results:

Step 4 should fail since the repository doesn't match the search filter

Additional info:

5. # hammer -u limited -p redhat repository list | grep ^4
4   | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum          | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os  

Not only has it been associated, it's now returned in the list of repositories,
again despite it not matching the search filter.

--- Additional comment from Stuart Auchterlonie on 2017-01-06 15:44:53 EST ---

TAM customer Nomura identified this issue

--- Additional comment from RHEL Product and Program Management on 2017-01-06 15:45:51 EST ---

Since this issue was entered in Red Hat Bugzilla, the pm_ack has been
set to + automatically for the next planned release

--- Additional comment from Brad Buckingham on 2017-01-11 11:46:13 EST ---

Created redmine issue http://projects.theforeman.org/issues/18035 from this bug
Comment 1 Satellite Program 2017-03-27 14:11:19 UTC 
Upstream bug assigned to bbuckingham
Comment 2 Satellite Program 2017-03-27 14:11:23 UTC 
Upstream bug assigned to bbuckingham
Comment 5 Satellite Program 2018-01-11 17:15:22 UTC 
Upstream bug assigned to jturel
Comment 6 Satellite Program 2018-01-11 17:15:32 UTC 
Upstream bug assigned to jturel
Comment 7 Brad Buckingham 2018-04-06 13:01:06 UTC 

*** This bug has been marked as a duplicate of bug 1410916 ***