1066586 – NDA setting prevents ACL's from working

Bug 1066586 - NDA setting prevents ACL's from working

Summary: NDA setting prevents ACL's from working

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Beaker
Classification:	Retired
Component:	web UI
Sub Component:
Version:	0.15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	0.15.5
Assignee:	Dan Callaghan
QA Contact:	tools-bugs
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-02-18 16:43 UTC by Bill Peck
Modified:	2018-02-06 00:41 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-03-03 01:33:40 UTC
Embargoed:

Attachments	(Terms of Use)

Description Bill Peck 2014-02-18 16:43:32 UTC

Description of problem:

We have some systems in beaker that have been set to NDA/Secret and even though the ACL's say that users in a particular group should have access to reserve and edit the system they can't even see the system.

Version-Release number of selected component (if applicable):
0.15.3

How reproducible:
Every time.  

Steps to Reproduce:
1. User A own system A and NDA checked
2. Add group B to System A and User B
3. Add all permissions for group B

Actual results:
User B will not be able to see System A

Expected results:
User B should be able to see and use system.

Additional info:
If system is loaned to User B then user can edit and use system based on the ACL's.

Comment 3 Dan Callaghan 2014-02-19 00:02:18 UTC

This is an RFE rather than a regression, right? The current behaviour matches the previous behaviour in 0.14, namely that secret systems are only visible to the owner and to the person who they are loaned to.

Anyway this is already fixed in the upcoming 0.16 release by replacing the Secret checkbox with a "view" permission in the access policy.

http://git.beaker-project.org/cgit/beaker/commit/?id=c6101de1f657b3127f55e69674305984a9414e23

Comment 4 Bill Peck 2014-02-19 01:43:42 UTC

It is a regression.  One of the very confusing overloading of groups in beaker pre 0.15.

What is the ETA on 0.16?  

Thanks

Comment 5 Dan Callaghan 2014-02-19 04:49:20 UTC

Ahhh yes you're right, not sure how I missed that. In 0.14 and earlier, private systems were visible to group members (as well as owner, user, loan recipient, admins, and accounts with secret_visible permission).

Comment 6 Nick Coghlan 2014-02-19 07:43:24 UTC

We're hoping to have 0.16rc1 ready for testing next week, but we'll also come up with a patch for 0.15 that adds an implied "view" permission as part of having the "reserve" permission.

That way, even if there are delays in getting 0.16 published, there'll still be a patch that can be used to hot fix this issue in 0.15 deployments.

Comment 7 Dan Callaghan 2014-02-19 07:44:14 UTC

I think we can fix this for the 0.15.x series by allowing anybody with "reserve" permission to see secret systems. That should be equivalent to the old behaviour in 0.14, since we migrated system groups to be a grant of "reserve" permission in the access policy.

In 0.16+ the real fix will be the new "view" permission.

Comment 8 Dan Callaghan 2014-02-20 04:51:08 UTC

On Gerrit: http://gerrit.beaker-project.org/2823

Comment 11 Nick Coghlan 2014-03-03 01:33:40 UTC

This was fixed with the release of Beaker 0.15.5.

Note You need to log in before you can comment on or make changes to this bug.