Bug 591122

Summary: Users should not be able to see other users or Roles if they aren't authorized
Product: [Other] RHQ Project Reporter: dsteigne
Component: Core UIAssignee: RHQ Project Maintainer <rhq-maint>
Status: CLOSED NOTABUG QA Contact: Corey Welton <cwelton>
Severity: medium Docs Contact:
Priority: low    
Version: 1.3.1CC: jmarques, loleary, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-09-21 15:12:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description dsteigne 2010-05-11 13:39:46 UTC
Description of problem:

Setup a user assigned to a group not authorized to:
Manage Security(Users/Roles)
Login as that user, they can still see the Users and the Change Password link, changing the password fails, but the user shouldn't have access to other users at all.  Same with Roles, user cannot make any edits, but they can still see all Roles and the Users assigned to them. 

Version-Release number of selected component (if applicable):

Comment 1 Joseph Marques 2010-09-21 15:12:09 UTC
we decided a while back that it was ok for all users to be able to see other users/roles in the system just in case they wanted to, for example, set up an alert definition that upon trigger would sent notifications to a list of users and/or a list of roles.

the old UI is going away for RHQ 4 and will be replaced with a new GWT-based one.  we'll make sure to pay attention to authorization, and conditionally render links so that unauthorized users don't think they have the ability to change passwords.

Comment 2 Larry O'Leary 2012-02-01 04:33:01 UTC
Looks like Bug 786159 might address this as a feature.