Bug 796964

Summary: User with only 'Sync Product' permission can edit repositories and view gpg keys
Product: Red Hat Satellite Reporter: Eric Helms <ehelms>
Component: WebUIAssignee: Eric Helms <ehelms>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: ansmith, jturner, mmccune, omaciel
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:29:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 801908    
Bug Blocks:    

Description Eric Helms 2012-02-23 23:11:38 UTC 
Description of problem:
A user who has been granted a role that contains only the 'Sync Product' permission for a particular organization can view GPGKeys and edit repositories.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create new user 'test_user'
2. Create new role 'sync products only'
3. Create Permission within ACME_Corporation with 'Permission For: Organization' and Verb 'Sync Product'
4. Add user 'test_user' to Role 'sync products only'
5. Logout and login as 'test_user'
  
Actual results:
The user can view all sync management pages in addition they can view GPG Keys and edit repositories under Providers.

Expected results:
Seems like if I only have permission to Sync Products I should not also have the ability to edit the details of a Repository. Further, I shouldn't expect to see GPGKey data.

Additional info:
Comment 2 Mike McCune 2012-03-07 23:43:49 UTC 
mass move ON_QA after brewing
Comment 3 Jeff Weiss 2012-03-08 19:29:17 UTC 
Fails QA.  Can still view GPG keys and Custom provider pages.  You can no longer edit repos though - that part is fixed.
Comment 4 Jeff Weiss 2012-03-08 19:29:25 UTC 
Katello Version: 0.2.8-1.git.11.033f96d.el6
Comment 5 Jeff Weiss 2012-03-08 19:35:54 UTC 
Can also view systems with just Sync Product permission.
Comment 6 Eric Helms 2012-03-09 19:01:46 UTC 
The ability to view systems comes from setting a default environment and has nothing to do with having the 'Sync Products' permission.  After discussion, it was decided being able to see GPG Keys with the 'Sync Products' permission is expected behavior given that 'Sync Products' gives you the ability to read provider information (i.e. Products, Repos, GPG Keys).
Comment 7 Jeff Weiss 2012-03-09 19:59:32 UTC 
See "blocks" field for more general bug that should fix this as well.
Comment 8 Jeff Weiss 2012-03-14 15:29:48 UTC 
Closing this bug in favor of the more general one, which will probably be deferred.
Comment 10 Mike McCune 2013-08-16 18:21:43 UTC 
getting rid of 6.0.0 version since that doesn't exist