Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1086499

Summary: User can access unauthorized repositories via [Administration] even after configuring roles
Product: [Retired] JBoss BRMS Platform 6 Reporter: Toshiya Kobayashi <tkobayas>
Component: Business CentralAssignee: manstis
Status: CLOSED NEXTRELEASE QA Contact: Tomas Livora <tlivora>
Severity: high Docs Contact:
Priority: medium    
Version: 6.0.1CC: kverlaen, lpetrovi, tkobayas, wsiqueir
Target Milestone: ER2Keywords: Reopened
Target Release: 6.0.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-18 05:18:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
user1_can_access_repo2_in_Administration.png none

Description Toshiya Kobayashi 2014-04-11 02:46:44 UTC 
Description of problem:

You can configure roles for repositories using kie-config-cli.sh. Then you will see only authorized repositories in "Project Explorer" ([Authoring]->[Project Authoring]). (NOTE: You need to reboot BRMS. See BZ1086489)

But you can still access unauthorized repositories in "File Explorer" ([Authoring]->[Administration])



Steps to Reproduce:

A) Login to business-central as admin
B) Create 'repo1' and 'repo2' in business-central (Organization Unit is 'example')

C) Configure roles for repositories using kie-config-cli.sh

[tkobayas@tkobayas kie-config-cli-6.0.2-redhat-6-dist]$ ./kie-config-cli.sh 
********************************************************

************* Welcome to Kie config CLI ****************

********************************************************

...

>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>Please enter command (type help to see available commands): 
add-role-repo
>>Repository alias:repo1
>>Security roles (comma separated list):role1
Result:
Role role1 added successfully to repository repo1

>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>Please enter command (type help to see available commands): 
add-role-repo
>>Repository alias:repo2
>>Security roles (comma separated list):role2
Result:
Role role2 added successfully to repository repo2
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>Please enter command (type help to see available commands): 
push-changes
Result:
Pushed successfully
>>>>>>>>>>>>>>>>>>>>>>>>>>>
>>Please enter command (type help to see available commands): 
list-repo
Result:
Currently available repositories: 
	Repository repo1
	 scheme: git
	 uri: git://repo1
	 environment: {scheme=git, security:roles=[role1]}
	 roles: [role1]
	Repository repository1
	 scheme: git
	 uri: git://repository1
	 environment: {username=, scheme=git, security:roles=[], password=****}
	 roles: []
	Repository repo2
	 scheme: git
	 uri: git://repo2
	 environment: {scheme=git, security:roles=[role2]}
	 roles: [role2]

D) Add users in EAP

bin/add-user.sh -a --user user1 --password password1! --role analyst,role1
bin/add-user.sh -a --user user2 --password password1! --role analyst,role2

E) reboot BRMS

F) Login to business-central as user1

G) Go to [Authoring]->[Project Authoring]. Confirm that you cannot access 'repo2'

H) Go to [Authoring]->[Administration]

Actual results:

user1 can access repo2 (See attached user1_can_access_repo2_in_Administration.png)

Expected results:

user1 cannot access repo2
Comment 1 Toshiya Kobayashi 2014-04-11 02:50:23 UTC 
Created attachment 885217 [details]
user1_can_access_repo2_in_Administration.png
Comment 2 manstis 2014-04-11 08:32:52 UTC 
Interesting :)

The intent is that the "Administration" perspective should not be available to Users who do not have the "admin" role. If they have the "admin" role then it is acceptable that within the "Administration" perspective they can perform all functions and view all repositories.

Therefore, my opinion is that we are not correctly protecting access to the "Administration" perspective. This is however different to the subject of the BZ.

Can you please confirm correcting access to "Administration" should be corrected in lieu of preventing access to repositories as you have requested?

Thanks.
Comment 3 Toshiya Kobayashi 2014-04-14 01:43:43 UTC 
Thanks Mike, that perfectly makes sense. Please protect "Administration" then it would be fine for this BZ.
Comment 5 Tomas Livora 2014-05-05 09:01:09 UTC 
Verified on BRMS 6.0.2 ER2
Comment 6 William Antônio 2015-06-18 00:17:41 UTC 
Hi,

I am still able to see this issue on BPM Suite 6.1.

Can we have this fixed on BPM Suite 6.1.2? (I will create the required BZ)

Thanks.
Comment 7 William Antônio 2015-06-18 05:18:45 UTC 
The issue I am facing is slightly different. I will open a new BZ. Sorry the spam. (Thanks Toshiya)