Bug 773137

Summary: user w/ read systems in environment can see all systems
Product: Red Hat Satellite Reporter: Tom McKay <tomckay>
Component: WebUIAssignee: Partha Aji <paji>
Status: CLOSED CURRENTRELEASE QA Contact: Garik Khachikyan <gkhachik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.0CC: gkhachik, hhovsepy, mkoci, mmccune
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:18:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 747354    

Description Tom McKay 2012-01-11 03:31:08 UTC 
Create a user with a single permission of "Read Systems in Environment" and choose an environment. Now login as that user and visit Systems All; note that all systems are indeed visible. Going to Systems By Environments tab does work as expected, limiting environment selector to proper setting.
Comment 1 Partha Aji 2012-01-12 20:46:12 UTC 
Should be fixed as of http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=f0551258e7dd3583e38e3937519fb4610d4b920c
Comment 2 Mike McCune 2012-01-26 19:07:02 UTC 
mass ON_QA move
Comment 4 Garik Khachikyan 2012-02-09 15:30:38 UTC 
# VERIFIED

Preparing a scenario in a following way (having in advance 2 environments: Dev & Test for the ACME_Corporation):
---
*user_role*
Name: Read Systems only

*permission*
Name:  Read Systems only
Scope: environments
Verbs:
    read_systems
Tags:
    Dev

*user list_roles --username user_system_only -v*
Name: Read Systems only
---

so idea is: create user and assign a user role which has a permission of read_systems for the environment "Dev" only (there is used pure CLI only ;))

Then with user admin register 2 systems: for each env. one.

try to list systems by having user_system_only user logged in (UI)

properly shown only a system registered to the Dev.

Checked against:
---
katello-0.1.228-1.git.5.eabe87d.el6.noarch
katello-cli-0.1.54-1.git.0.2670189.el6.noarch
subscription-manager-0.99.6-1.el6.x86_64
pulp-0.0.265-1.el6.noarch
candlepin-0.5.8-1.el6.noarch
Comment 7 Hayk Hovsepyan 2012-12-03 15:52:33 UTC 
Automated in method "com.redhat.qe.katello.tests.e2e.SystemListAccess.test_listSystem()"