Bug 1501127

Summary: Restrict edit_params & create_params to set host parameters on hosts that user owns
Product: Red Hat Satellite Reporter: Dmitry Zhukovski <dzhukous>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.12CC: dhlavacd, mhulan
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-12 07:26:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dmitry Zhukovski 2017-10-12 06:52:24 UTC 
Description of problem:
Restrict edit_params & create_params to set host parameters only on hosts that user owns

Version-Release number of selected component (if applicable):
6.2.12

How reproducible:
everytime

Steps to Reproduce:
1. Define that filter 
Host 	build_hosts, create_hosts 		lifecycle_environment = "SomeEnv" 	
Host 	destroy_hosts, edit_hosts, view_hosts 		owner = <someuser> 	
Host 	power_hosts 		owner = <someuser> 	
Parameter 	edit_params, create_params 		none 	
Domain 	view_domains 		name = <somedomain>

2.Create new parameters on a hostname that is NOT owned by someuser
https://satellite/api/hosts/hostname/parameters
with json for example.
{
  "name": "groups",
  "value": "<group1>"
}
3.

Actual results:
POST is succesful even that hostname is not belonging to someuser and not visible on All hosts page by that user

Expected results:
User is restricted to change/add parameters only on his own hosts

Additional info:
Comment 2 Marek Hulan 2017-10-12 07:26:15 UTC 
Thanks Dmitry for report, I believe this is a duplicate of BZ 1384035 which tracks it not only for parameters but all resources. I'm marking it as a duplicate, please reattach the case. If I misunderstood, please let me know or reopen.

*** This bug has been marked as a duplicate of bug 1384035 ***