Bug 1017279 - user without "Unassign Bundles From Group" is able to unassign bundles from group
user without "Unassign Bundles From Group" is able to unassign bundles from g...
Status: CLOSED NOTABUG
Product: JBoss Operations Network
Classification: JBoss
Component: Provisioning (Show other bugs)
JON 3.2
x86_64 Linux
unspecified Severity high
: ---
: JON 3.2.0
Assigned To: RHQ Project Maintainer
Mike Foley
:
Depends On:
Blocks: jon32-Beta-Blockers-1006862
  Show dependency treegraph
 
Reported: 2013-10-09 10:39 EDT by Armine Hovsepyan
Modified: 2015-09-02 20:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-09 11:16:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Armine Hovsepyan 2013-10-09 10:39:09 EDT
Description of problem:
user without "Unassign Bundles From Group" is able to unassign bundles from group

Version-Release number of selected component (if applicable):
jon 3.2 ER3

How reproducible:
always

Steps to Reproduce:
1. create a user "bundle" having role with "delete bundle from groups" and without having permission to "Unassign Bundles From Group"
2. log in as "bundle" user
3. navigate to Bundles 
4. Select a group having bundle assigned to it
5. unassign the bundle from group

Actual results:
bundle is unassigned

Expected results:
bundle cannot be unassigned - alert telling that no-permission granted to  unassign bundle should be shown


Additional info:
video recorded -> http://d.pr/v/K0Yp
Comment 1 John Mazzitelli 2013-10-09 11:16:45 EDT
OK, after talking to Jay, this is expected behavior and not a bug.

See the docs here:

   https://docs.jboss.org/author/display/RHQ/Security+Model+for+Bundle+Provisioning#SecurityModelforBundleProvisioning-DeleteBundlesInGroup

where it says:

   "This permission allows any viewable bundle to be unassigned from bundle groups associated with the role."

So if you have the ability to delete bundles, that implies you can also unassign bundles, too.

The thought is that if you can delete you should be able to unassign because delete is more powerful than unassign. The same thing is true with "create in group" bundle permission and "assign to group" bundle permissions.

Note You need to log in before you can comment on or make changes to this bug.