Bug 1112750 - menu item "Hosts --> All hosts" is visible to normal user without any permission
Summary: menu item "Hosts --> All hosts" is visible to normal user without any permission
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles
Version: 6.0.3
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Daniel Lobato Garcia
QA Contact: sthirugn@redhat.com
URL: http://projects.theforeman.org/issues...
Whiteboard:
Keywords: Triaged
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-24 15:45 UTC by Dominic Cleal
Modified: 2016-04-22 16:24 UTC (History)
6 users (show)

(edit)
Clone Of: 1112182
(edit)
Last Closed: 2014-09-11 12:19:44 UTC


Attachments (Terms of Use)
permission denied accessing hosts (33.98 KB, image/png)
2014-08-08 20:32 UTC, sthirugn@redhat.com
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 6361 None None None 2016-04-22 16:24 UTC

Description Dominic Cleal 2014-06-24 15:45:08 UTC
+++ This bug was initially created as a clone of Bug #1112182 +++

Description of problem:
I created a simple user in "Any context" mode and did not assign any location, org and roles. But following menus are visible to that user.

Ideally user shouldn't be allowed to have access to any of menu items without any permission. Hosts menu shows "All Hosts" and user can see the created hosts. 

Version-Release number of selected component (if applicable):
sat6 beta snap10 compose2

How reproducible:
always 

Steps to Reproduce:
1. Login with admin user
2. create a user in "Any context" and do not assign location and org
3. logout with admin user and login with newly created user

Actual results:
User can see Hosts --> All hosts

Expected results:
user shouldn't be allowed to have access to any of menu items without any permission

Additional info:

Comment 1 Dominic Cleal 2014-06-24 15:45:41 UTC
Created redmine issue http://projects.theforeman.org/issues/6361 from this bug

Comment 2 Dominic Cleal 2014-06-24 15:47:47 UTC
Not really "any permission", but all users automatically get the "Anonymous" role added.  By default the anonymous role grants an unlimited view_hosts permission, which IMHO should be removed.

Comment 4 Daniel Lobato Garcia 2014-07-07 22:42:35 UTC
https://github.com/theforeman/foreman/pull/1549

is ready for testing

Comment 5 Bryan Kearney 2014-07-24 18:03:18 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/6361 has been closed
-------------
Daniel Lobato Garcia
https://github.com/theforeman/foreman/pull/1549

Comment 8 sthirugn@redhat.com 2014-08-08 20:31:49 UTC
Verified. (see screenshot)

Version Tested:
GA Snap 4 - Satellite-6.0.4-RHEL-6-20140806.0

* apr-util-ldap-1.3.9-3.el6_0.1.x86_64
* candlepin-0.9.19-1.el6_5.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.9.19-1.el6_5.noarch
* candlepin-tomcat6-0.9.19-1.el6_5.noarch
* elasticsearch-0.90.10-4.el6sat.noarch
* foreman-1.6.0.38-1.el6sat.noarch
* foreman-compute-1.6.0.38-1.el6sat.noarch
* foreman-gce-1.6.0.38-1.el6sat.noarch
* foreman-libvirt-1.6.0.38-1.el6sat.noarch
* foreman-ovirt-1.6.0.38-1.el6sat.noarch
* foreman-postgresql-1.6.0.38-1.el6sat.noarch
* foreman-proxy-1.6.0.23-1.el6sat.noarch
* foreman-selinux-1.6.0.4-1.el6sat.noarch
* foreman-vmware-1.6.0.38-1.el6sat.noarch
* katello-1.5.0-28.el6sat.noarch
* katello-ca-1.0-1.noarch
* katello-certs-tools-1.5.6-1.el6sat.noarch
* katello-installer-0.0.57-1.el6sat.noarch
* openldap-2.4.23-34.el6_5.1.x86_64
* pulp-katello-0.3-3.el6sat.noarch
* pulp-nodes-common-2.4.0-0.30.beta.el6sat.noarch
* pulp-nodes-parent-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-puppet-tools-2.4.0-0.30.beta.el6sat.noarch
* pulp-rpm-plugins-2.4.0-0.30.beta.el6sat.noarch
* pulp-selinux-2.4.0-0.30.beta.el6sat.noarch
* pulp-server-2.4.0-0.30.beta.el6sat.noarch
* python-ldap-2.3.10-1.el6.x86_64
* ruby193-rubygem-net-ldap-0.3.1-3.el6sat.noarch
* ruby193-rubygem-runcible-1.1.0-2.el6sat.noarch
* sssd-ldap-1.11.5.1-3.el6.x86_64

Comment 9 sthirugn@redhat.com 2014-08-08 20:32:34 UTC
Created attachment 925298 [details]
permission denied accessing hosts

Comment 11 Bryan Kearney 2014-09-11 12:19:44 UTC
This was delivered with Satellite 6.0 which was released on 10 September 2014.


Note You need to log in before you can comment on or make changes to this bug.