Bug 766001

Summary: Read Only account was able to delete system
Product: Red Hat Satellite Reporter: Eric Sammons <esammons>
Component: WebUIAssignee: Partha Aji <paji>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.0.0CC: mmccune, sghai
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
headpin
Last Closed: 2012-08-22 18:12:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747354    
Attachments:
Description Flags
Screen shot of logged in user, w/ system having been deleted
none
Permission page showing Access Only on Org.
none
Permission page showing Access only to environments.
none
with access only permissions, no 'remove system' option is available on UI. none

Description Eric Sammons 2011-12-09 20:33:36 UTC 
Created attachment 544687 [details]
Screen shot of logged in user, w/ system having been deleted

Description of problem:
Logged in as a user with Access only permissions, was able to delete a system.
Comment 1 Eric Sammons 2011-12-09 20:34:29 UTC 
Created attachment 544689 [details]
Permission page showing Access Only on Org.
Comment 2 Eric Sammons 2011-12-09 20:35:29 UTC 
Created attachment 544691 [details]
Permission page showing Access only to environments.
Comment 3 Partha Aji 2012-01-11 23:26:40 UTC 
Hmm. Can't seem to reproduce this. Check again and fail it if it still occurs.
Comment 4 Sachin Ghai 2012-01-17 09:17:39 UTC 
Verified this with following katello build:

[root@dhcp201-176 ~]# rpm -qa | grep -ie katello-0 -ie pulp-0
katello-0.1.178-1.el6.noarch
katello-glue-pulp-0.1.178-1.el6.noarch
pulp-0.0.257-1.el6.noarch
[root@dhcp201-176 ~]# 


This defect is not reproducible.

I created a user 'test' and assign access only permissions for org and env. 

However when I tried to remove a system, no such option was available on UI. Please see the attachment in next comment.
Comment 5 Sachin Ghai 2012-01-17 09:21:09 UTC 
Created attachment 555712 [details]
with access only permissions, no 'remove system' option is available on UI.