Bug 1809304
| Summary: | The create storage class button should only be present if a user has permissions to create storage classes | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | bpeterse | ||||||||
| Component: | Management Console | Assignee: | Zac Herman <zherman> | ||||||||
| Status: | CLOSED NOTABUG | QA Contact: | Yadan Pei <yapei> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | 4.4 | CC: | aos-bugs, fshaikh, jokerman, steven.barre, yapei, zherman | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | 4.5.0 | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2020-04-09 17:24:36 UTC | Type: | Bug | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
bpeterse
2020-03-02 19:51:23 UTC
Hi team, Any updates here? Thanks, Fatima Created attachment 1673278 [details]
Normal User without Projects Visits Storage Classes page
Created attachment 1673279 [details]
Normal User Has Projects Visits Storage Classes page
Created attachment 1673280 [details]
Normal User Visits Storage Classes page by URL
Currently 1) Normal user can't see 'Create Storage' button on Storage Classes page 2) When normal user visit Storage Classes page via URL, he/she can still fill the form but got error message when he/she submit the form I'm not sure if we can show error message once user visit the form creation page via URL, I know we can show error message when user submit the form, will wait for comments from Devs 1) First off, thanks @Yadan Pei for doing some checking on this as well. 2) As Yadan stated, non-admin users cannot see the "Create Storage Class" button so that is working as designed. 3) Now, if a non-admin user has a URL to an admin type of page (create storage class, create PV, operator hub, cluster config), they can get to that page but they will not be able to do anything because the API requires proper authorization. 4) Currently there is no mechanism that simply prevents non-admin users from seeing admin pages. If there is any data from an API call on those pages that is sensitive, the API will show an error due to lack of authorization. I suggest we close this bug as working as designed. This was an issue back in 4.1, but seems to have been fixed now in 4.3. I'm the one who requested the RFE back in August. This should be OK to close now. If it has been resolved in recent versions, we can close the bug. Perhaps we can take some time & make sure we handle this consistently everywhere. |