Bug 642231

Summary: User without edit permissions is able to edit the data
Product: [Other] RHQ Project Reporter: Sunil Kondkar <skondkar>
Component: Core UIAssignee: Ian Springer <ian.springer>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: high    
Version: 4.0.0CC: ccrouch, ian.springer, jshaughn
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-24 01:07:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 585306, 641874    

Description Sunil Kondkar 2010-10-12 12:16:26 UTC 
Description of problem:

If a user does not have permissions to edit the data (Ex: without 'Manage_Security' permissions), he is able to edit and save the 'manage user' data.

Version-Release number of selected component (if applicable):
rhq build#401

How reproducible:

Always

Steps to Reproduce:

Create a role without 'Manage_Security' permissions.
Create a new user and assign the role created above
Login to Jon as newly created user
Navigate to 'Administration->Users'.
Double-click on a row having user details
Edit the last name and save.
  
Actual results:
User can edit and save the data

Expected results:
User should not be able to select, edit and save the data. The buttons like 'New', 'Save', 'Reset' and 'Delete' should be disabled.

Additional info:
Comment 1 Jay Shaughnessy 2011-02-14 14:26:12 UTC 
This actually generated an uncaught exception for me.
Comment 2 Ian Springer 2011-02-15 16:25:30 UTC 
Note, a user should be able to edit their own basic data - first name, last name, phone #, password, etc. But they should not be able to edit their permissions, roles, or groups, unless they have manage_security.
Comment 3 Ian Springer 2011-02-24 22:22:30 UTC 
I fixed a few related minor issues with commit [master 9acdc2f], but this was mainly working as designed - that is, a user can edit themselves, with the exceptions of the enabled/active field and their assigned roles.
Comment 4 Sunil Kondkar 2011-03-02 10:20:10 UTC 
Verified on Build#1056 (Version: 4.0.0-SNAPSHOT Build Number: 643ac4b).

This is working as designed. No exception is observed. User without 'Manage_Security' permissions is able to update his own data. Other user's data is view only.

Marking as verified.
Comment 5 Corey Welton 2011-05-24 01:07:23 UTC 
Bookkeeping - closing bug - fixed in recent release.