1102315 – As a readonly user, I should not be able to edit any entity through the API or UI.

Bug 1102315 - As a readonly user, I should not be able to edit any entity through the API or UI.

Summary: As a readonly user, I should not be able to edit any entity through the API o...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Content Management
Sub Component:
Version:	6.0.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Walden Raines
QA Contact:	sthirugn@redhat.com
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-05-28 18:10 UTC by Eric Helms
Modified:	2019-09-26 18:14 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:	Red Hat Satellite 6 will deliver with a read only role. If users test this, and find places where they could actually modify data, they are asked to raise a support request and report the issue.
Clone Of:
Environment:
Last Closed:	2014-09-11 12:24:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	5503	0	None	None	None	2016-04-22 15:51:27 UTC

Description Eric Helms 2014-05-28 18:10:45 UTC

Comment 1 Eric Helms 2014-05-28 18:10:47 UTC

Created from redmine issue http://projects.theforeman.org/issues/5503

Comment 2 Eric Helms 2014-05-28 18:10:51 UTC

Upstream bug assigned to walden

Comment 5 Walden Raines 2014-06-06 19:07:51 UTC

PR:  https://github.com/Katello/katello/pull/4226

Comment 6 Walden Raines 2014-06-18 19:21:45 UTC

commit f4129016e3ba33aa493d5209584f3b443362dbea
Merge: c36f6f6 8332883
Author: Walden Raines <walden>
Date:   Wed Jun 18 15:19:37 2014 -0400

    Merge pull request #4226 from waldenraines/5503
    
    Fixes #5503/BZ1102315 - restrict UI interactions to actual permissions in Bastion.

commit 83328836519a9ae1068ccf27b9a481f2457384c7
Author: Walden Raines <walden>
Date:   Tue Jun 3 14:18:29 2014 -0400

    Fixes #5503/BZ1102315 - restrict UI interactions to actual permissions.

Comment 8 sthirugn@redhat.com 2014-08-11 17:57:45 UTC

Verified.

Used a Viewer role to test this bug
- In UI - all pages are visible but not editable
- In API - tested few api calls to edit objects and they returned Access denied

#1: 
# curl -s -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword -d '{"type":"system", "facts":{"release":"6Server", "architecture":"x86_64"}, "host_colletion_id":{}, "organization_id":3, "description":"Initial Registration Parameters:\nOS: redhat-release-server\nRelease: 6Server\nCPU Arch: x86_64\nsat5_system_id: 1000020000", "name":"mysytem-123.example.com"}' https://host.redhat.com/katello/api/systems
{"message":"Access denied","details":null}

#2:
curl -s -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword -d '{"name":"testorgapi"}' https://host.redhat.com/katello/api/organizations
{
  "error": {"message":"Access denied","details":null}

#3:
curl -X POST -H "Content-Type:application/json" -H "Accept:application/json,version=2" -k -u readuser:pword  -d '{"organization_id":"3", "name":"testakapi"}' https://host.redhat.com/katello/api/activation_keys
{"message":"Access denied","details":null}

Version Tested:
GA Snap 4 - Satellite-6.0.4-RHEL-6-20140806.0

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.38-1.el6sat.noarch
* foreman-compute-1.6.0.38-1.el6sat.noarch
* foreman-gce-1.6.0.38-1.el6sat.noarch
* foreman-libvirt-1.6.0.38-1.el6sat.noarch
* foreman-ovirt-1.6.0.38-1.el6sat.noarch
* foreman-postgresql-1.6.0.38-1.el6sat.noarch
* foreman-proxy-1.6.0.23-1.el6sat.noarch
* foreman-selinux-1.6.0.4-1.el6sat.noarch
* foreman-vmware-1.6.0.38-1.el6sat.noarch
* katello-1.5.0-28.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.57-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* sssd-ldap-1.11.5.1-3.el6.x86_64

Comment 9 Bryan Kearney 2014-09-11 12:24:34 UTC

This was delivered with Satellite 6.0 which was released on 10 September 2014.

Note You need to log in before you can comment on or make changes to this bug.