Bug 682710

Summary: Administration - Users: A user without 'Manage Security' permissions can delete another users
Product: [Other] RHQ Project Reporter: Sunil Kondkar <skondkar>
Component: Core ServerAssignee: Ian Springer <ian.springer>
Status: CLOSED CURRENTRELEASE QA Contact: Corey Welton <cwelton>
Severity: high Docs Contact:
Priority: urgent    
Version: 4.0.0.B02CC: ccrouch, ian.springer
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 585306, 677420    

Description Sunil Kondkar 2011-03-07 11:05:25 UTC 
Description of problem:

A user without 'Manage Security' permissions when navigates through the Administration->Security->Users list, the users list row items are selectable. Selecting a row except rhqadmin user enables the Delete button and other users can be deleted.

Version-Release number of selected component (if applicable):
Build# 1074  (Version: 4.0.0-SNAPSHOT Build Number: 77ad7aa)

How reproducible:
Always

Steps to Reproduce:

1. Login to RHQ as rhqadmin

2. Create a role without 'Manage Security' permissions.

3. Create a user and add the user to the above role.

4. Login to RHQ as the user without 'Manage Security' permissions.

5. Navigate to Administartion->Security->Users

6. Select any other user in the users list except rhqadmin.

7. Observe that the 'Delete' button get's enabled.

8. Click on 'Delete' button.

9. Click 'Yes' on the confirmation message.

10. The user get's deleted.

Actual results:

For a user without 'Manage Security' permissions, the user's list row items are selectable, selecting the row items enables the 'Delete' Button and other user gets deleted clicking the 'Delete' button.

Expected results:

1. A user without 'Manage Security' permissions should not be able to delete the other users.

2. If a user does not have 'Manage Security' permissions, the  row items should not be selectable.


Additional info:
Comment 1 Ian Springer 2011-03-08 23:19:45 UTC 
Fixed - [master fbbf83c].
Comment 2 Sunil Kondkar 2011-03-09 10:54:48 UTC 
Verified on Build# 1083 ( Version: 4.0.0-SNAPSHOT Build Number: fbbf83c)

For a user without 'Manage Security' permissions the row items on users list are not selectable.

Marking the bug as verified.
Comment 3 Corey Welton 2011-05-24 01:16:56 UTC 
Bookkeeping - closing bug - fixed in recent release.
Comment 4 Corey Welton 2011-05-24 01:16:56 UTC 
Bookkeeping - closing bug - fixed in recent release.
Comment 5 Corey Welton 2011-05-24 01:16:56 UTC 
Bookkeeping - closing bug - fixed in recent release.
Comment 6 Corey Welton 2011-05-24 01:17:13 UTC 
Bookkeeping - closing bug - fixed in recent release.