Bug 790735

Summary:	Non admin user is able to delete the imported image after Revoking the role of "Image Administrator"
Product:	[Retired] CloudForms Cloud Engine	Reporter:	Shveta <ssachdev>
Component:	aeolus-conductor	Assignee:	Scott Seago <sseago>
Status:	CLOSED ERRATA	QA Contact:	pushpesh sharma <psharma>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	1.0.0	CC:	akarol, bbandari, deltacloud-maint, hbrock, psharma, ssachdev
Target Milestone:	beta5	Keywords:	Triaged
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-05-15 22:37:02 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Shveta 2012-02-15 09:48:54 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a user shveta , granted role of Image Administrator
2. Imported image
3. Revoked the role of "Image Admin" , user is not able to import now , 
but is able to delete the previously imported image.

User is also able to build and push image.

User should not be able to perform any action on image.
  
Actual results:


Expected results:


Additional info:
rpm -qa|grep aeolus
aeolus-conductor-doc-0.8.0-27.el6.noarch
aeolus-conductor-daemons-0.8.0-27.el6.noarch
aeolus-configure-2.5.0-13.el6.noarch
rubygem-aeolus-cli-0.3.0-8.el6.noarch
aeolus-all-0.8.0-27.el6.noarch
aeolus-conductor-0.8.0-27.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch

Comment 1 Shveta 2012-02-15 09:50:25 UTC

"push all " button is hidden after revoking the role of "Image Admin"
but user can build and push to individual providers, 
then whats the point in hiding "push all" button.

No action on images should be allowed

Comment 2 Scott Seago 2012-02-28 05:44:57 UTC

Ahh, yes this looks like a fairly straightforward bug -- the 'delete' action isn't being filtered on permissions.

Comment 4 Scott Seago 2012-03-09 05:56:18 UTC

Patch on-list: https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009484.html

Comment 5 Scott Seago 2012-03-12 04:36:15 UTC

Pushed to master: 570f0138508af369f41e2950b3aa632d0ea606dd

Comment 7 pushpesh sharma 2012-04-05 05:23:21 UTC

User is not able to import new images,delete images,push,build images after revoking the image admin permissions.
Marking this bug as verified based on the above observation.

Comment 9 errata-xmlrpc 2012-05-15 22:37:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html