Bug 735975

Summary: 'Remove User' shouldn't be active If assigned role has access/update related permissions
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: WebUIAssignee: Partha Aji <paji>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 17:55:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747354    
Attachments:
Description Flags
Remove user on top right of 'Edit User' window
none
"Remove user" is activated on top right of 'Edit User' window
none
"Remove user" is removed on top right of 'Edit User' window with the permissions mentioned in defect's description none

Description Sachin Ghai 2011-09-06 10:50:18 UTC 
Description of problem:
I created a customized role. That role includes following permissions:

Permissions for User 
- Access user
- Update user

Permissions for Roles:
- Access roles
- Update roles

I assigned this role to a newly created user. When I login with this user and check Roles/permissions on right pane under 'Edit User', I found that 'Remove user' is active.

Ideally Remove user shouldn't be active If assigned role has access/update related permissions. This should only be available if I choose delete user permission or should throw a permission denied message.


Version-Release number of selected component (if applicable):
katello-0.1.75-1.git.41.2e9f377.fc15.noarch

How reproducible:
always

Steps to Reproduce:
1. Login with admin user
2. Create a new user e.g. newuser
3. Create a role with above permissions
4. Assign that  role to 'newuser'
5. Login with 'newuser' 
6. Goto Administration ==> double click on 'newuser' ==> Select Roles & permissions from 'Edit User' on right pane. 
7. Click on 'Remove user' on top right of 'Edit user' window 
  
Actual results:
When you click on Remove User, nothing happens. 

Expected results:

Ideally Remove user shouldn't be active If assigned role has access/update related permissions or should throw a permission denied message. This should only be available if we choose delete user permission

Additional info:
Comment 1 Sachin Ghai 2011-09-06 10:53:56 UTC 
Created attachment 521627 [details]
Remove user on top right of 'Edit User' window
Comment 2 Partha Aji 2011-09-15 16:25:07 UTC 
This commit should have fixed your issue. Can't reproduce it .. Moving to ON_QA since this was done a while back..
http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=46b8fb5fbfa11dd83b29e3039e937e91fbaf5cd8
Comment 3 Sachin Ghai 2011-10-03 06:26:28 UTC 
Verified again with following builds and its still reproducible:

[root@dhcp201-187 ~]# rpm -qa | grep katello
katello-cli-0.1.10-1.git.436.ebcad79.fc15.noarch
katello-0.1.85-1.git.70.844626c.fc15.noarch
katello-configure-0.1.3-1.git.0.403cd32.fc15.noarch

katello/production.log says:
==============================


Started DELETE "/katello//users/4" for 10.65.193.48 at Mon Oct 03 11:50:21 +0530 2011
  Processing by UsersController#destroy as JS
  Parameters: {"id"=>"4"}
User test_user is not allowed to access users/destroy
User test_user is not allowed to access users/destroy
#<Errors::SecurityViolation: User test_user is not allowed to access users/destroy>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:453:in `_run__434435962__process_action__988268021__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_1818'
/usr/share/katello/lib/util/threadsession.rb:77:in `thread_locals'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_1818'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:446:in `_run__434435962__process_action__988268021__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:410:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:410:in `_run_process_action_callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:94:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:94:in `run_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/callbacks.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/rescue.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/instrumentation.rb:29:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/base.rb:119:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/rendering.rb:41:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal.rb:138:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal.rb:178:in `action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:62:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:62:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:27:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/route_set.rb:150:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:93:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:68:in `optimized_each'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:92:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/route_set.rb:141:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:493:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:35:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `catch'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `call'
/usr/lib/ruby/gems/1.8/gems/sass-3.1.4/lib/sass/../sass/plugin/rack.rb:54:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/head.rb:14:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/methodoverride.rb:24:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/params_parser.rb:21:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/flash.rb:182:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/session/abstract_store.rb:149:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/cookies.rb:302:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:32:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/connection_adapters/abstract/query_cache.rb:28:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:12:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:31:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/connection_adapters/abstract/connection_pool.rb:354:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/callbacks.rb:46:in `call'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:416:in `_run_call_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/callbacks.rb:44:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/sendfile.rb:102:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/remote_ip.rb:48:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/show_exceptions.rb:47:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/rack/logger.rb:13:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/runtime.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/lock.rb:34:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/static.rb:30:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:168:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:77:in `send'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:77:in `method_missing'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:52:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:46:in `each'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:46:in `call'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:84:in `pre_process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:82:in `catch'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:82:in `pre_process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:57:in `process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:42:in `receive_data'
/usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run_machine'
/usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/backends/base.rb:61:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/server.rb:159:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/controllers/controller.rb:86:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:185:in `send'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:185:in `run_command'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:151:in `run!'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/bin/thin:6
/usr/share/katello/script/thin:59:in `load'
/usr/share/katello/script/thin:59
Rendered common/403.html.haml (0.6ms)
Completed 403 Forbidden in 14ms (Views: 1.1ms | ActiveRecord: 3.9ms)



Logs are correctly denying since user doesn't have appropriate permissions. However UI should also throw a proper message or deactivate the "Remove User" button.
Comment 4 Sachin Ghai 2011-10-03 06:29:06 UTC 
Created attachment 525978 [details]
"Remove user" is activated on top right of 'Edit User' window
Comment 5 Partha Aji 2011-10-12 23:11:51 UTC 
Thanks. Missed the " Select Roles & permissions from 'Edit User'" part in the original bug.

Should be fixed as of http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=c9018f735416ee92116e5be7821c0b8744badbcb
Comment 6 Sachin Ghai 2011-12-23 11:44:03 UTC 
Verified with following katello build:

[root@dhcp201-162 ~]# rpm -qa | grep katello
katello-0.1.154-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-cli-common-0.1.30-1.el6.noarch
katello-glue-pulp-0.1.154-1.el6.noarch
katello-configure-0.1.46-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-candlepin-0.1.154-1.el6.noarch
katello-all-0.1.154-1.el6.noarch
katello-repos-0.1.4-1.el6.noarch
katello-cli-0.1.30-1.el6.noarch
katello-glue-foreman-0.1.154-1.el6.noarch
katello-common-0.1.154-1.el6.noarch
katello-certs-tools-1.0.1-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch


"Remove user" is removed from UI when we applied the roles with the permissions mentioned in defect's description.

For verification, please see the attachment in next comment.
Comment 7 Sachin Ghai 2011-12-23 11:45:09 UTC 
Created attachment 549333 [details]
"Remove user" is removed on top right of 'Edit User' window with the permissions mentioned in defect's description