Bug 1925172

Summary: Non admin user with viewer role can perform action on the task
Product: Red Hat Satellite Reporter: Anand Agrawal <aagrawal>
Component: Tasks PluginAssignee: Adam Ruzicka <aruzicka>
Status: CLOSED ERRATA QA Contact: Peter Ondrejka <pondrejk>
Severity: high Docs Contact:
Priority: low    
Version: 6.9.0CC: aruzicka, dsinglet, jbhatia, mzalewsk, paji, pcreech, satellite6-bugs, swadeley, vijsingh, zhunting
Target Milestone: 6.10.0Keywords: Regression, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-2.3.1.10-1, tfm-rubygem-foreman-tasks-4.1.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1922174 Environment:
Last Closed: 2021-11-16 14:10:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1922134, 1922145, 1922174    
Bug Blocks:    
Attachments:
Description Flags
batch-selection
none
batch-confirm none

Description Anand Agrawal 2021-02-04 14:22:47 UTC 
Description of problem:

Non-admin user with 'Viewer' role can see tasks and select All tasks. Individual task checkbox is greyed out but Select All is available. Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected

Version-Release number of selected component (if applicable):
6.9

How reproducible:

Always

Steps to Reproduce:
1. Create a non-admin user with 'viewer' role.
2. Login with above non admin role.
3. GoTo Monitor -> Tasks -> Select All tasks -> Select Action -> Resume selected 
Actual results:

It allow to select all tasks

Expected results:

It should not allow to select all


Additional info:
Comment 1 Adam Ruzicka 2021-02-11 10:20:17 UTC 
The current stance is:
1) The user can select all tasks, even if they cannot select every single task separately
2) The user can try to perform a bulk action against the selection
3) The bulk action is performed only against the tasks against which the user is permitted to perform the action

We cannot forbid users from trying to select all, because we cannot be sure that there is nothing the user could select on other pages. For the same reason, we cannot forbid them from trying to perform a bulk action on all selected tasks, because there may be a task in the selection against which they are allowed to perform the action.

> Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected

They can try to do that. Will the tasks be actually cancelled/resumed/force cancelled?
Comment 2 Anand Agrawal 2021-02-11 11:13:44 UTC 
(In reply to Adam Ruzicka from comment #1)
> The current stance is:
> 1) The user can select all tasks, even if they cannot select every single
> task separately
> 2) The user can try to perform a bulk action against the selection
> 3) The bulk action is performed only against the tasks against which the
> user is permitted to perform the action
> 
> We cannot forbid users from trying to select all, because we cannot be sure
> that there is nothing the user could select on other pages. For the same
> reason, we cannot forbid them from trying to perform a bulk action on all
> selected tasks, because there may be a task in the selection against which
> they are allowed to perform the action.

Here, I am talking of the viewer role specifically, which will have granular permission like "view_tasks". With this permission, I do not think, the user will have any tasks with permissions to perform the actions(Cancel, Resume, force ).

> 
> > Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected
> 
> They can try to do that. Will the tasks be actually cancelled/resumed/force
> cancelled?

With view-only permission, I do not expect this to be visible.
Comment 3 Bryan Kearney 2021-02-16 20:02:35 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31872 has been resolved.
Comment 10 Peter Ondrejka 2021-06-02 09:52:12 UTC 
Checked on snap_6.10.0_2.0, viewer is not able to operate on tasks, but the UI sends mixed signals, the select-all checkbox and the confirmation infobox are actin as if selection was possible even though the individual checkboxes are grayed-out (see screenshots).
Comment 11 Peter Ondrejka 2021-06-02 09:53:02 UTC 
Created attachment 1788651 [details]
batch-selection
Comment 12 Peter Ondrejka 2021-06-02 09:53:43 UTC 
Created attachment 1788652 [details]
batch-confirm
Comment 13 Adam Ruzicka 2021-06-02 10:36:25 UTC 
This is some kind of miscommunication. This was fixed, the fix was then reverted as mentioned in #4 and was not re-fixed since.
Comment 16 Peter Ondrejka 2021-09-29 12:52:35 UTC 
Verified on Sat 6.10 sn 20
Comment 19 errata-xmlrpc 2021-11-16 14:10:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702