Bug 796047

Summary: SecurityViolation error while accessing gpg key details with read only user
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: WebUIAssignee: Partha Aji <paji>
Status: CLOSED ERRATA QA Contact: Sachin Ghai <sghai>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0.0CC: achan, asettle, inecas, jlaska, mmccune, omaciel, ppokorny
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When a read-only user attempted to view a GPG key in the graphical user interface, the body of the key was left blank. This was caused by a security violation error where the code had attempted to grant the user edit instead of read permissions. This is fixed in the current version. Users with read-only permission can now view GPG keys.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 19:42:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Complete error log from production.log
none
no details displayed on UI for gpg_keys using read only user
none
can see details of gpg-key using read only user none

Description Sachin Ghai 2012-02-22 07:23:55 UTC 
Description of problem:
I was trying to see the created gpgkey details in ACME_Corporation org. However when I click on 'Details' tab of gpg key, following backtrace generated in production.log. Nothing displayed on UI.

--
[ERROR: 2012-02-22 12:47:33 #30885] User reader is not allowed to access gpg_keys/edit
[ERROR: 2012-02-22 12:47:33 #30885] User reader is not allowed to access gpg_keys/edit
[ERROR: 2012-02-22 12:47:33 #30885] #<Errors::SecurityViolation: User reader is not allowed to access gpg_keys/edit>
[ERROR: 2012-02-22 12:47:33 #30885] /usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
[ERROR: 2012-02-22 12:47:33 #30885] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__1167204022__process_action__1026853947__callbacks'
[ERROR: 2012-02-22 12:47:33 #30885] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2755'

----

Version-Release number of selected component (if applicable):
pulp-0.0.265-1.el6.noarch
katello-cli-0.1.54-2.el6.noarch
katello-0.1.238-4.el6.noarch


How reproducible:
always

Steps to Reproduce:
1. Add gpg keys in any org with admin user
2. create a user 'reader' with read only permissions
3. login with reader and check the 'details' of gpg_key
  
Actual results:
nothing displayed on UI, under details and 'Product & repositories' see the attached screenshot.

Long backtrace in production.log
Expected results:
details should be displayed properly without any error in production.log


Additional info:
Comment 1 Sachin Ghai 2012-02-22 07:24:39 UTC 
Created attachment 564851 [details]
Complete error log from production.log
Comment 2 Sachin Ghai 2012-02-22 07:26:08 UTC 
Created attachment 564852 [details]
no details displayed on UI for gpg_keys using read only user
Comment 4 Pavel Pokorny 2012-09-10 08:00:39 UTC 
It was fixed long time ago in f61c2db

I tested it in Katello Version: 1.1.9-1.git.95.0ed1e6f.el6.
Comment 7 Sachin Ghai 2012-10-03 08:27:04 UTC 
Verified with following CFSE build:

katello-glue-candlepin-1.1.12-12.el6cf.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-all-1.1.12-12.el6cf.noarch
katello-cli-1.1.8-6.el6cf.noarch
katello-certs-tools-1.1.8-1.el6cf.noarch
katello-selinux-1.1.1-1.el6cf.noarch
katello-configure-1.1.9-6.el6cf.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-common-1.1.8-6.el6cf.noarch
katello-common-1.1.12-12.el6cf.noarch
katello-1.1.12-12.el6cf.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-pulp-1.1.12-12.el6cf.noarch


I can see the created gpg_key details using read only user and no error generated under production.log.
Comment 8 Sachin Ghai 2012-10-03 08:28:06 UTC 
Created attachment 620677 [details]
can see details of gpg-key using read only user
Comment 10 errata-xmlrpc 2012-12-04 19:42:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html