Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1132675 - Edit organization displays associated resources for use w/o permissions
Summary: Edit organization displays associated resources for use w/o permissions
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: WebUI
Version: 6.0.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: Tom McKay
QA Contact: Tazim Kolhar
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks: sam20-tracker
TreeView+ depends on / blocked
 
Reported: 2014-08-21 19:35 UTC by Tom McKay
Modified: 2017-02-23 21:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-12 05:15:25 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 7221 0 None None None 2016-04-22 16:03:38 UTC
Red Hat Product Errata RHSA-2015:1592 0 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 09:04:35 UTC

Description Tom McKay 2014-08-21 19:35:18 UTC 
A user with the below permissions can incorrectly see the following on an organization edit page. Note that because the tabs are displayed the list of resources available in each are also displayed. This implies that the choices are not being reduce to show only those available to a specific user.

What I mean is that if user A has a filter that allowed them to only see "Alterator default" Template, then the list should contain only that template. It is my guess that this is not the case. Maybe worth a separate bug but suspect it is all related.

If no permission for resource at all, do not render tab at all.
For limited permissions, display only those resources that are accessible.

Smart Proxies
Subnets
Compute Resources
Media
Templates
Domains
Realms
Environments
Host Groups
Locations
Parameters


<pre>
Name,Count,Resource,Search,Permissions,Organizations,Locations
SAM Administrator,1,Katello::ActivationKey,"","view_activation_keys,create_activation_keys,edit_activation_keys,destroy_activation_keys",,""
SAM Administrator,1,Katello::System,"","view_content_hosts,create_content_hosts,edit_content_hosts,destroy_content_hosts",,""
SAM Administrator,1,Katello::ContentView,"",view_content_views,,""
SAM Administrator,1,Katello::HostCollection,"","view_host_collections,create_host_collections,edit_host_collections,destroy_host_collections",,""
SAM Administrator,1,Katello::KTEnvironment,"",view_lifecycle_environments,,""
SAM Administrator,1,Katello::Product,"","view_products,sync_products",,""
SAM Administrator,1,Organization,"","view_organizations,create_organizations,edit_organizations,destroy_organizations,assign_organizations,view_subscriptions,attach_subscriptions,unattach_subscriptions,import_manifest,delete_manifest",,""
SAM Administrator,1,Role,"","view_roles,create_roles,edit_roles,destroy_roles",,""
SAM Administrator,1,Filter,"","view_filters,create_filters,edit_filters,destroy_filters",,""
SAM Administrator,1,User,"","view_users,create_users,edit_users,destroy_users",,""
SAM Administrator,1,Usergroup,"","view_usergroups,create_usergroups,edit_usergroups,destroy_usergroups",,""
</pre>
Comment 1 Tom McKay 2014-08-21 19:35:19 UTC 
Created from redmine issue http://projects.theforeman.org/issues/7221
Comment 3 Bryan Kearney 2014-09-03 00:04:38 UTC 
Upstream bug assigned to tomckay
Comment 4 Bryan Kearney 2014-09-15 13:45:38 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/7221 has been closed
-------------
Thomas McKay
From IRC
<pre>
<thomasmckay> ehelms: working #7221 what should the perms be to view and edit associations with org/loc? https://github.com/theforeman/foreman/blob/develop/app/views/taxonomies/_form.html.erb#L16
<nudnik> ehelms: #7221 is http://theforeman.org/issues/7221 "Bug #7221: Edit organization displays associated resources for use w/o permissions - Foreman"
<thomasmckay> i think that page should just check view permission on the resource to show the tab
<thomasmckay> and then edit perm on at least org to adjust assocations. should edit perm on the smart-proxy, in this case, also be required?
<ehelms> thomasmckay: depends how you look at it, are you changing the org or the object? does adding an organization to a smart proxy change the proxy, the organization or both?
<ehelms> thomasmckay: I lean towards just the object
<thomasmckay> i'd say both since you are basically letting it be used in that org
<thomasmckay> ehelms: your vote is edit perm on the resource, but not require edit on the org?
<thomasmckay> should you be able to create a subnet in an org you don't have edit perm on?
<thomasmckay> i guess yes... yeah, i think you're right
<thomasmckay> so view on org but edit on resource
<ehelms> thomasmckay: that's how katello at least works when you think about it
</pre>
-------------
Thomas McKay
Applied in changeset commit:ae255b3caf953b43b2387bedc78a6a258b2b8b33.
Comment 7 Tazim Kolhar 2015-02-13 05:31:43 UTC 
VERIFIED:

# rpm -qa | grep foreman
foreman-postgresql-1.7.2.4-1.el7sat.noarch
foreman-vmware-1.7.2.4-1.el7sat.noarch
ruby193-rubygem-foreman_bootdisk-4.0.2.4-1.el7.noarch
foreman-compute-1.7.2.4-1.el7sat.noarch
ruby193-rubygem-foreman_docker-1.1.0.2-1.el7sat.noarch
ruby193-rubygem-foreman-tasks-0.6.12.1-1.el7sat.noarch
rubygem-hammer_cli_foreman_tasks-0.0.3.1-1.el7.noarch
ruby193-rubygem-foreman_openscap-0.3.0-1.el7sat.noarch
foreman-1.7.2.4-1.el7sat.noarch
foreman-gce-1.7.2.4-1.el7sat.noarch
ruby193-rubygem-foreman_abrt-0.0.5-2.el7sat.noarch
rubygem-hammer_cli_foreman-0.1.4.3-1.el7sat.noarch
qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch
foreman-selinux-1.7.2.8-1.el7sat.noarch
foreman-ovirt-1.7.2.4-1.el7sat.noarch
ruby193-rubygem-foreman-redhat_access-0.0.7-2.el7sat.noarch
rubygem-hammer_cli_foreman_bootdisk-0.1.2.4-1.el7.noarch
foreman-proxy-1.7.2.1-1.el7sat.noarch
foreman-libvirt-1.7.2.4-1.el7sat.noarch
ruby193-rubygem-foreman_gutterball-0.0.1.4-1.el7sat.noarch
qe-sat6-rhel7.usersys.redhat.com-foreman-client-1.0-1.noarch
qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-1.0-1.noarch
ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch

Created a user with limited permissions to check all the limited resources 
availiable
Comment 8 Bryan Kearney 2015-08-11 13:32:15 UTC 
This bug is slated to be released with Satellite 6.1.
Comment 9 errata-xmlrpc 2015-08-12 05:15:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592
Note You need to log in before you can comment on or make changes to this bug.