| Summary: | SecurityViolation error while clicking the auto heal check box using read only user | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Sachin Ghai <sghai> | ||||||
| Component: | WebUI | Assignee: | Tom McKay <tomckay> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> | ||||||
| Severity: | high | Docs Contact: | |||||||
| Priority: | high | ||||||||
| Version: | 6.0.0 | CC: | bkearney, cwelton, jturner, mmccune, tomckay | ||||||
| Target Milestone: | Unspecified | Keywords: | Triaged | ||||||
| Target Release: | Unused | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2012-08-22 18:25:13 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Attachments: |
|
||||||||
Created attachment 559853 [details]
Complete error log from production.log
Created attachment 559854 [details]
enabled check box with read only user
commit 28922108dbab695c444fc99f4e9cb645f565f5a2
Author: Tom McKay <thomasmckay>
Date: Thu Mar 1 12:29:13 2012 -0500
787979 - auto-heal checkbox only enabled if system editable
Verified in brew build fixed in brew build 0.1.303-1.el6 |
Description of problem: I was testing the user roles. A system was already register with admin user. However when I login with read only user and go to the systems tab and selected the subscription sub tab from right pane, found that few check boxes were enable. Ideally with read only user these check boxes should be set to disable. When I clicked on autoheal check box, a long backtrace generated in production.log. --- Started POST "/katello/systems/1" for 10.65.193.48 at Tue Feb 07 06:31:03 -0500 2012 Processing by SystemsController#update as HTML Parameters: {"id"=>"1", "authenticity_token"=>"2bL/yVTy54rdStWx5GO1OFv7tP5mJYYjiHwvs8m2i7Q=", "autoheal"=>"false", "utf8"=>"✓"} User reader is not allowed to access systems/update User reader is not allowed to access systems/update #<Errors::SecurityViolation: User reader is not allowed to access systems/update> /usr/share/katello/lib/authorization_rules.rb:31:in `authorize' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__726213939__process_action__1614930260__callbacks' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2744' ---- <truncate> Version-Release number of selected component (if applicable): katello-configure-0.1.55-2.el6.noarch katello-glue-candlepin-0.1.211-2.el6.noarch katello-cli-common-0.1.44-2.el6.noarch katello-common-0.1.211-2.el6.noarch katello-selinux-0.1.3-1.el6.noarch katello-httpd-ssl-key-pair-1.0-1.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-glue-pulp-0.1.211-2.el6.noarch katello-0.1.211-2.el6.noarch katello-certs-tools-1.0.2-2.el6.noarch katello-glue-foreman-0.1.211-2.el6.noarch katello-trusted-ssl-cert-1.0-1.noarch katello-all-0.1.211-2.el6.noarch katello-cli-0.1.44-2.el6.noarch How reproducible: always Steps to Reproduce: 1. register a machine using admin user 2. create a read only user 'reader' 3. Login with user 'reader' 4 go to systems tab ==>subscription 5. click on autoheal checkbox Actual results: Error with long backtrace in production.log Expected results: I think all check boxes should be disabled for read only user otherwise no backtrace should be there in production.log instead of this UI should raise a permission denied message. Additional info: