+++ This bug was initially created as a clone of Bug #1103131 +++ Description of problem: When a user doesn't have view_global_teams permission, he could add a global team(the user is a member of) by team id as a member under his domain, but the same action would fail when he tries using global team name. --allowviewglobalteams swith should only working on controlling the capability to search and view any global team of the user, but the current work logic is blocking user adding global team as a member by name, while allowed by team id method. Version-Release number of selected component (if applicable): devenv_4830 How reproducible: Always Steps to Reproduce: 1. User "gpei" is a member of a global team "team1" [root@ip-10-230-141-161 ~]# rhc team show -t team1 -l gpei Team team1 ---------- ID: 538874956402458f90000001 Global: true Members: gpei (view) And user "gpei" don't have the view_global_teams permission. [root@ip-10-230-141-161 ~]# oo-broker oo-admin-ctl-user -l gpei User gpei: ... viewing all global teams allowed: false ... 2. Add the global team as a member to his domain via team name [root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global Adding 1 editor to domain ... You are not permitted to perform this action (view_global_teams on cloud user) 3. Add the global team as a member to his domain via team id [root@ip-10-230-141-161 ~]# rhc member-add -n jjj --ids 538874956402458f90000001 --type team --global Adding 1 editor to domain ... done Actual results: [root@ip-10-230-141-161 ~]# rhc member-add -n jjj team1 --type team --global -d DEBUG: Using config file /root/.openshift/express.conf DEBUG: Authenticating with RHC::Auth::Token DEBUG: Connecting to https://localhost/broker/rest/api DEBUG: Finding domain jjj DEBUG: Client supports API versions 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using token authentication DEBUG: Created new httpclient DEBUG: Request GET https://localhost/broker/rest/api DEBUG: SSL Verification failed -- Using self signed cert DEBUG: code 200 65 ms DEBUG: Server supports API versions 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7 DEBUG: Using API version 1.7 DEBUG: Client API version 1.7 is not current. Refetching API DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/api DEBUG: code 200 21 ms DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/domain/jjj DEBUG: code 200 31 ms Adding 1 editor to domain ... DEBUG: Searching teams DEBUG: Using token authentication DEBUG: Request GET https://localhost/broker/rest/teams?global=true search=team1 DEBUG: code 403 162 ms You are not permitted to perform this action (view_global_teams on cloud user) When user add global team by name, REST api would search for the global team first, which is not allowed when the user don't have view_global_teams permission according to https://bugzilla.redhat.com/show_bug.cgi?id=1088941 Expected results: User should have the ability to add a global team(the user is a member of) by name as a member under his domain, even the user don't have view_global_teams permission. Additional info:
Fix available in https://github.com/openshift/origin-server/pull/5468
Upstream commit: commit 1e14237ddb04b758734955b170fb1f11d0470641 Author: Jordan Liggitt <jliggitt> Date: Fri May 30 10:54:52 2014 -0400 Bug 1103131: Remove authorize! check and let Team.accessible() limit which global teams a user can see
Verify this bug on puddle 2.1.z/2014-07-15.1 User gpei have domain "00" and belongs to global team "team1". User gpei doesn't have view_global_teams permission [root@broker ~]# oo-admin-ctl-user -l gpei User gpei: plan: consumed domains: 1 max domains: 10 consumed gears: 0 max gears: 100 max tracked storage per gear: 0 max untracked storage per gear: 0 max teams: 0 viewing all global teams allowed: false gear sizes: small, medium sub accounts allowed: false private SSL certificates allowed: false inherit gear sizes: false HA allowed: false [root@dhcp-129-188 workspace]# rhc team list Team team1 ---------- ID: 53c5e9f1db26c83b25000001 Global: true Members: gpei (view) You are a member of 1 team. [root@dhcp-129-188 workspace]# rhc member-add team1 -n 00 --type team --global Adding 1 editor to domain ... DEBUG: Searching teams done [root@dhcp-129-188 workspace]# rhc member list -n 00 Name Login Role Type ----- ----- ------------- ---- gpei gpei admin (owner) user team1 edit team
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0999.html