Description of problem: When a user doesn't have view_global_teams permission, he could add a global team(the user is a member of) by team id as a member under his domain, but the same action would fail when he tries using global team name. --allowviewglobalteams swith should only working on controlling the capability to search and view any global team of the user, but the current work logic is blocking user adding global team as a member by name, while allowed by team id method. Version-Release number of selected component (if applicable): devenv_4830 How reproducible: Always Steps to Reproduce: 1. User "gpei" is a member of a global team "team1" [root@ip-10-230-141-161 ~]# rhc team show -t team1 -l gpei Team team1 ---------- ID: 538874956402458f90000001 Global: true Members: gpei (view) And user "gpei" don't have the view_global_teams permission. [root@ip-10-230-141-161 ~]# oo-broker oo-admin-ctl-user -l gpei User gpei: ... viewing all global teams allowed: false ... 2. Add the global team as a member to his domain via team name [root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global Adding 1 editor to domain ... You are not permitted to perform this action (view_global_teams on cloud user) 3. Add the global team as a member to his domain via team id [root@ip-10-230-141-161 ~]# rhc member-add -n jjj --ids 538874956402458f90000001 --type team --global Adding 1 editor to domain ... done Actual results: [root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global -d DEBUG: Using config file /root/.openshift/express.conf DEBUG: Authenticating with RHC::Auth::Token DEBUG: Connecting to https://localhost/broker/rest/api DEBUG: Finding domain jjj DEBUG: Client supports API versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using token authentication DEBUG: Created new httpclient DEBUG: Request GET https://localhost/broker/rest/api DEBUG: SSL Verification failed -- Using self signed cert DEBUG: code 200 65 ms DEBUG: Server supports API versions 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using API version 1.7 DEBUG: Client API version 1.7 is not current. Refetching API DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/api DEBUG: code 200 21 ms DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/domain/jjj DEBUG: code 200 31 ms Adding 1 editor to domain ... DEBUG: Searching teams DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/teams?global=true search=team1 DEBUG: code 403 162 ms You are not permitted to perform this action (view_global_teams on cloud user) When user add global team by name, REST api would search for the global team first, which is not allowed when the user don't have view_global_teams permission according to https://bugzilla.redhat.com/show_bug.cgi?id=1088941 Expected results: User should have the ability to add a global team(the user is a member of) by name as a member under his domain, even the user don't have view_global_teams permission. Additional info:
Not a blocker for Online, since there are no global teams
Will merge fix in https://github.com/openshift/origin-server/pull/5468
Commit pushed to master at https://github.com/openshift/origin-server https://github.com/openshift/origin-server/commit/1e14237ddb04b758734955b170fb1f11d0470641 Bug 1103131: Remove authorize! check and let Team.accessible() limit which global teams a user can see
Verify this bug on devenv_4835. When a user don't have view_global_teams permission, he could search the global team by name which he is a member of. So he could add a global team as a member. [root@ip-10-203-168-223 ~]# rhc team list Team t1 ------- ID: 538d699abe9d9937e8000001 Global: true Members: gpei (view) You are a member of 1 team. [root@ip-10-203-168-223 ~]# rhc member-add t1 -n 444 --type team --global -d DEBUG: Using config file /root/.openshift/express.conf DEBUG: Authenticating with RHC::Auth::Token DEBUG: Connecting to https://localhost/broker/rest/api DEBUG: Finding domain 444 DEBUG: Client supports API versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using token authentication DEBUG: Created new httpclient DEBUG: Request GET https://localhost/broker/rest/api DEBUG: SSL Verification failed -- Using self signed cert DEBUG: code 200 51 ms DEBUG: Server supports API versions 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using API version 1.7 DEBUG: Client API version 1.7 is not current. Refetching API DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/api DEBUG: code 200 33 ms DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/domain/444 DEBUG: code 200 36 ms Adding 1 editor to domain ... DEBUG: Searching teams DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/teams?global=true search=t1 DEBUG: code 200 19 ms DEBUG: Using token authentication DEBUG: Request PATCH https://localhost/broker/rest/domain/444/members DEBUG: code 200 317 ms done [root@ip-10-203-168-223 ~]# rhc member list -n 444 Name Login Role Type ---- ----- ------------- ---- gpei gpei admin (owner) user t1 edit team