Description of problem: user without "Unassign Bundles From Group" is able to unassign bundles from group Version-Release number of selected component (if applicable): jon 3.2 ER3 How reproducible: always Steps to Reproduce: 1. create a user "bundle" having role with "delete bundle from groups" and without having permission to "Unassign Bundles From Group" 2. log in as "bundle" user 3. navigate to Bundles 4. Select a group having bundle assigned to it 5. unassign the bundle from group Actual results: bundle is unassigned Expected results: bundle cannot be unassigned - alert telling that no-permission granted to unassign bundle should be shown Additional info: video recorded -> http://d.pr/v/K0Yp
OK, after talking to Jay, this is expected behavior and not a bug. See the docs here: https://docs.jboss.org/author/display/RHQ/Security+Model+for+Bundle+Provisioning#SecurityModelforBundleProvisioning-DeleteBundlesInGroup where it says: "This permission allows any viewable bundle to be unassigned from bundle groups associated with the role." So if you have the ability to delete bundles, that implies you can also unassign bundles, too. The thought is that if you can delete you should be able to unassign because delete is more powerful than unassign. The same thing is true with "create in group" bundle permission and "assign to group" bundle permissions.