Bug 1450961
Summary: | SSUI: Restricted user(tag) can see service items list(but cannot open or order them) | |||
---|---|---|---|---|
Product: | Red Hat CloudForms Management Engine | Reporter: | Ruslana Babyuk <rbabyuk> | |
Component: | UI - Service | Assignee: | Allen W <awight> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Ruslana Babyuk <rbabyuk> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 5.8.0 | CC: | cpelland, dclarizi, jhardy, obarenbo, rbabyuk, simaishi | |
Target Milestone: | GA | Keywords: | Regression, TestOnly | |
Target Release: | 5.9.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ssui:tag | |||
Fixed In Version: | 5.9.0.1 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1451078 (view as bug list) | Environment: | ||
Last Closed: | 2018-03-06 14:49:48 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | CFME Core | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1451078 |
Description
Ruslana Babyuk
2017-05-15 13:07:00 UTC
If user1 is being assigned group1, which is assigned an unrestricted role, wouldn't user1 seeing the service item be the expected behavior? Oh or is the restricted user, user2? What are the restrictions placed on this user? (In reply to Allen W from comment #2) > If user1 is being assigned group1, which is assigned an unrestricted role, > wouldn't user1 seeing the service item be the expected behavior? > Oh or is the restricted user, user2? What are the restrictions placed on > this user? Please assign tag to group1, and if any service doesn't have the same tag as group1, user should not see any services. You can check it on my appliance https://10.8.199.14 with user: user1, password:111 I have 4 service items created and none of them have the tag assigned. A VM! the best gift of all, thanks will check it out! Having a real tough time understanding this one, any chance we could do a bluejeans session? Looking at Access Control, don't see any groups or users, are these LDAP records? Not able to see what tag is assigned to group1. Also I see no services in the SUI for the user1 account you posted, 4 service catalogs, but no services. (In reply to Allen W from comment #5) > Having a real tough time understanding this one, any chance we could do a > bluejeans session? Looking at Access Control, don't see any groups or > users, are these LDAP records? Not able to see what tag is assigned to > group1. Also I see no services in the SUI for the user1 account you posted, > 4 service catalogs, but no services. Lets do bluejeans session: https://bluejeans.com/u/rbabyuk/ I am there already Good news bad news on this. The bad news is, if a user, without appropriate tag to view a service template(s), queries the service_catalogs endpoint, they can see EVERYTHING!!!!!! (this is an api hiccup tho). Quick steps to reproduce in the context of this bz, checkout: `https://10.8.199.14/api/service_templates` with (user1 - 111) nothing! Yay! Now checkout `https://10.8.199.14/api/service_catalogs?expand=resources,service_templates` same user/creds SEE STUFF that service_template stuff, no bueno :( The good news is, there is already a fix out there, a merged pr that just has to be backported to resolve this issue `https://github.com/ManageIQ/manageiq-ui-service/pull/741` It goes back to using the service_templates endpoint. SO POWERS THAT BE. You decide, do we backport? save the day? |