Bug 1441219

Summary: User with channel admin role can manage null-org channels
Product: Red Hat Satellite 5 Reporter: Jan Dobes <jdobes>
Component: APIAssignee: Jan Dobes <jdobes>
Status: CLOSED CURRENTRELEASE QA Contact: Ales Dujicek <adujicek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 580CC: adujicek, mmraka, tlestach
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spacewalk-java-2.5.14-88 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-21 12:13:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1340444, 1414454    

Description Jan Dobes 2017-04-11 12:48:19 UTC 
Description of problem:
If user has channel admin role, he can access and modify some attributes which he couldn't access and modify using WebUI with any role.

How reproducible:
always

Steps to Reproduce:
1. Try to call channel.access.getOrgSharing (channel.access.setOrgSharing) API with label of null-org channel.

Actual results:
You can access the values.

Expected results:
You can't access these values.
Comment 1 Jan Dobes 2017-04-11 14:03:34 UTC 
fixed in spacewalk master:

12bf2e452bb69aaa7159200b6083981f55c44047
Comment 6 Jan Dobes 2017-05-24 15:44:20 UTC 
problems from comment #4 and comment #5 fixed in spacewalk master:

398f7291e90a08f9e913922a7f9125a7136f3b55
47ceacfb19ae57c06352c6583e059cd073aeede5
Comment 11 Ales Dujicek 2017-05-30 12:26:10 UTC 
right, channel manager of channel can call everything on custom channels, this is OK as well:
setOrgSharing custom-channel - 1
getOrgSharing custom-channel - public
enableUserRestrictions custom-channel - 1
disableUserResttrictions custom-channel - 1

and user cannot be manager of red hat channels