Bug 1467291

Summary: [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.
Product: Red Hat Satellite Reporter: vivpatil
Component: RepositoriesAssignee: Jonathon Turel <jturel>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.10CC: bbuckingham, dhlavacd, jcallaha, jturel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-14 16:27:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description vivpatil 2017-07-03 10:16:22 UTC
Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product. 

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID  | RESOURCE TYPE    | SEARCH              | UNLIMITED? | ROLE     | PERMISSIONS  
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none                | yes        | prodview | view_products
178 | Katello::Product | name =  puppet-prod | no         | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.

Comment 2 Jonathon Turel 2017-07-25 16:49:41 UTC
Created redmine issue http://projects.theforeman.org/issues/20409 from this bug

Comment 3 Jonathon Turel 2017-08-14 16:27:33 UTC
Closing this due to duplication. See 1410916 for the details about what's causing this problem and tracking the resolution.

*** This bug has been marked as a duplicate of bug 1410916 ***