Bug 917933

Summary: User can delete jobs not owned by itself
Product: [Retired] Beaker Reporter: Monson Shao <jshao>
Component: schedulerAssignee: Qixiang Wan <qwan>
Status: CLOSED CURRENTRELEASE QA Contact: Raymond Mancy <rmancy>
Severity: high Docs Contact:
Priority: unspecified    
Version: 0.11CC: asaha, ccui, dcallagh, ebaak, llim, qwan, rglasz, rmancy
Target Milestone: 0.12   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: Misc
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-04-11 04:56:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Monson Shao 2013-03-05 07:05:17 UTC 
Description of problem:
One can delete jobs not owned by itself, via webui or command line.
It's odd that you have not permission to cancel someone's jobs, but you can delete them.
One user's misoperation may involve others, and admin seems not able to recover deleted jobs. (maybe another ticket should be filed?)

Version-Release number of selected component (if applicable):
0.11.3 

Steps to Reproduce:
$ bkr job-delete J:xxxxxx

Actual results:
User can delete anyone's jobs.

Expected results:
User can only delete own jobs.

Additional info:
Comment 1 Qixiang Wan 2013-03-06 05:19:31 UTC 
on gerrit: http://gerrit.beaker-project.org/1787
Comment 3 Raymond Mancy 2013-04-02 12:23:43 UTC 
Verified:
  XML-RPC fault: <class 'bkr.common.bexceptions.BeakerException'>:"You don't have permission to delete job J:113"
Comment 4 Dan Callaghan 2013-04-11 04:56:36 UTC 
Beaker 0.12 has been released.