Bug 745801

Summary: [ipa webui] When user logs in for self service, enroll buttons are enabled
Product: Red Hat Enterprise Linux 6 Reporter: Namita Soman <nsoman>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.1CC: edewata, jgalipea, mkosek, pvoborni, yzhang
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-1.el6 Doc Type: Bug Fix
Doc Text:
No documentation needed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:15:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 756082    
Attachments:
Description Flags
screen shot none

Description Namita Soman 2011-10-13 13:16:39 UTC 
Description of problem:
When a user logs in for self service, enroll buttons are enabled in the memberof tabs.
User can go ahead, and select which groups/roles to enroll himself into.
Then when 'Enroll' is clicked - throws error -
two: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=admins,cn=groups,cn=accounts,dc=testrelm'.

Version-Release number of selected component (if applicable):
ipa-server-2.1.2-2.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Add a user, set its passwd, login as this user
2. In the UI, go to Groups tab, can click 'Enroll'
3. Can see groups listed, select some, and click 'Enroll'
  
Actual results:
Clicking 'Enroll' throws error:
two: Insufficient access: Insufficient 'write' privilege to the 'member' attribute of entry 'cn=admins,cn=groups,cn=accounts,dc=testrelm'.


Expected results:
The 'Enroll' button should be disabled if this user doesn't have the permissions - on all the tabs under memberof


Additional info:
Comment 2 Dmitri Pal 2011-10-13 16:13:58 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/1972
Comment 4 Namita Soman 2011-11-28 15:28:02 UTC 
Related/Similar behaviour - buttons enabled, when user doesn't have the privilege:

When a user logs in for self-service, the Add button is enabled.
Add a user, and click on 'Add' - error - Insufficient access: Insufficient 'add' privilege to add the entry 'uid=2,cn=users,cn=accounts,dc=testrelm'.

Choose a user to delete, and Delet button is enabled. Delete the user - error - Insufficient access: Insufficient 'delete' privilege to delete the entry 'uid=one,cn=users,cn=accounts,dc=testrelm'.

Also seeing this when logging in as a user who is enrolled as with role - helpdesk admin. Add/Delete buttons are enabled, when this user can only modify.
Comment 5 Endi Sukma Dewata 2011-12-12 19:38:46 UTC 
The issue in the original description is fixed in master (7710bfb5bdef1faa959b7f9402c2840b5ef65d7e).

The issue in comment #4 is covered in this ticket: https://fedorahosted.org/freeipa/ticket/2188
Comment 6 Petr Vobornik 2012-02-01 15:12:34 UTC 
Issue in comment #4 fixed in upstream.

master: 0c4500738be7647e852a8e41dd6b6dfd48182908

ipa-2-2: f0fcd0677756020b9da6b6e116d72d92e0683744
Comment 8 Jenny Severance 2012-04-18 15:42:46 UTC 
verified version ipa-server-2.1.3-9.el6.x86_64

see attached screen shot
Comment 9 Jenny Severance 2012-04-18 15:43:07 UTC 
Created attachment 578399 [details]
screen shot
Comment 10 Petr Vobornik 2012-04-24 12:53:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
No documentation needed.
Comment 12 errata-xmlrpc 2012-06-20 13:15:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html