Bug 1450839

Summary: Restricted user can see vm/instance from different groups which have tags from users group
Product: Red Hat CloudForms Management Engine Reporter: Ruslana Babyuk <rbabyuk>
Component: ApplianceAssignee: Libor Pichler <lpichler>
Status: CLOSED ERRATA QA Contact: Dave Johnson <dajohnso>
Severity: medium Docs Contact:
Priority: high    
Version: 5.8.0CC: abellott, hkataria, jhardy, lpichler, mpovolny, obarenbo, rbabyuk, simaishi, yrudman
Target Milestone: GA   
Target Release: 5.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: report:tag:rbac
Fixed In Version: 5.9.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-01 13:12:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Ruslana Babyuk 2017-05-15 09:30:00 UTC 
Description of problem:
User can see items from different groups but tagged by users group tag

Version-Release number of selected component (if applicable):
5.7.1, 5.7.2, 5.8.0

How reproducible:
100%

Steps to Reproduce:
1. As admin, create 2 tenants(tenant1, tenant2)
2. Create role with "Only group and user owned" restriction (user_role)
3. Add 2 groups with 'user_role' role and set 2 different tags (group1->tag1, group2->tag2)
4. Create 2 users, and assign to groups (group1-> user1, group2->user2)
5. Add provider (infra or cloud)
6. Set ownership for 2 instances (instance1->group1, instance2->group2)
7. Set tags for instances (instance1->tag2, instance2->tag1)
8. Get content for "Recently Discovered Vms" widget
9. Login as user1 or user2, navigate to dashboard

Actual results:
Widget displays 2 instances

Expected results:
With such configuration, user should not see any instances, as both groups also have tag restriction

Additional info:
Comment 8 errata-xmlrpc 2018-03-01 13:12:35 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380