Red Hat Bugzilla – Bug 1132675
Edit organization displays associated resources for use w/o permissions
Last modified: 2017-02-23 16:02:32 EST
A user with the below permissions can incorrectly see the following on an organization edit page. Note that because the tabs are displayed the list of resources available in each are also displayed. This implies that the choices are not being reduce to show only those available to a specific user. What I mean is that if user A has a filter that allowed them to only see "Alterator default" Template, then the list should contain only that template. It is my guess that this is not the case. Maybe worth a separate bug but suspect it is all related. If no permission for resource at all, do not render tab at all. For limited permissions, display only those resources that are accessible. Smart Proxies Subnets Compute Resources Media Templates Domains Realms Environments Host Groups Locations Parameters <pre> Name,Count,Resource,Search,Permissions,Organizations,Locations SAM Administrator,1,Katello::ActivationKey,"","view_activation_keys,create_activation_keys,edit_activation_keys,destroy_activation_keys",,"" SAM Administrator,1,Katello::System,"","view_content_hosts,create_content_hosts,edit_content_hosts,destroy_content_hosts",,"" SAM Administrator,1,Katello::ContentView,"",view_content_views,,"" SAM Administrator,1,Katello::HostCollection,"","view_host_collections,create_host_collections,edit_host_collections,destroy_host_collections",,"" SAM Administrator,1,Katello::KTEnvironment,"",view_lifecycle_environments,,"" SAM Administrator,1,Katello::Product,"","view_products,sync_products",,"" SAM Administrator,1,Organization,"","view_organizations,create_organizations,edit_organizations,destroy_organizations,assign_organizations,view_subscriptions,attach_subscriptions,unattach_subscriptions,import_manifest,delete_manifest",,"" SAM Administrator,1,Role,"","view_roles,create_roles,edit_roles,destroy_roles",,"" SAM Administrator,1,Filter,"","view_filters,create_filters,edit_filters,destroy_filters",,"" SAM Administrator,1,User,"","view_users,create_users,edit_users,destroy_users",,"" SAM Administrator,1,Usergroup,"","view_usergroups,create_usergroups,edit_usergroups,destroy_usergroups",,"" </pre>
Created from redmine issue http://projects.theforeman.org/issues/7221
Upstream bug assigned to tomckay@redhat.com
Moving to POST since upstream bug http://projects.theforeman.org/issues/7221 has been closed ------------- Thomas McKay From IRC <pre> <thomasmckay> ehelms: working #7221 what should the perms be to view and edit associations with org/loc? https://github.com/theforeman/foreman/blob/develop/app/views/taxonomies/_form.html.erb#L16 <nudnik> ehelms: #7221 is http://theforeman.org/issues/7221 "Bug #7221: Edit organization displays associated resources for use w/o permissions - Foreman" <thomasmckay> i think that page should just check view permission on the resource to show the tab <thomasmckay> and then edit perm on at least org to adjust assocations. should edit perm on the smart-proxy, in this case, also be required? <ehelms> thomasmckay: depends how you look at it, are you changing the org or the object? does adding an organization to a smart proxy change the proxy, the organization or both? <ehelms> thomasmckay: I lean towards just the object <thomasmckay> i'd say both since you are basically letting it be used in that org <thomasmckay> ehelms: your vote is edit perm on the resource, but not require edit on the org? <thomasmckay> should you be able to create a subnet in an org you don't have edit perm on? <thomasmckay> i guess yes... yeah, i think you're right <thomasmckay> so view on org but edit on resource <ehelms> thomasmckay: that's how katello at least works when you think about it </pre> ------------- Thomas McKay Applied in changeset commit:ae255b3caf953b43b2387bedc78a6a258b2b8b33.
VERIFIED: # rpm -qa | grep foreman foreman-postgresql-1.7.2.4-1.el7sat.noarch foreman-vmware-1.7.2.4-1.el7sat.noarch ruby193-rubygem-foreman_bootdisk-4.0.2.4-1.el7.noarch foreman-compute-1.7.2.4-1.el7sat.noarch ruby193-rubygem-foreman_docker-1.1.0.2-1.el7sat.noarch ruby193-rubygem-foreman-tasks-0.6.12.1-1.el7sat.noarch rubygem-hammer_cli_foreman_tasks-0.0.3.1-1.el7.noarch ruby193-rubygem-foreman_openscap-0.3.0-1.el7sat.noarch foreman-1.7.2.4-1.el7sat.noarch foreman-gce-1.7.2.4-1.el7sat.noarch ruby193-rubygem-foreman_abrt-0.0.5-2.el7sat.noarch rubygem-hammer_cli_foreman-0.1.4.3-1.el7sat.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-client-1.0-1.noarch foreman-selinux-1.7.2.8-1.el7sat.noarch foreman-ovirt-1.7.2.4-1.el7sat.noarch ruby193-rubygem-foreman-redhat_access-0.0.7-2.el7sat.noarch rubygem-hammer_cli_foreman_bootdisk-0.1.2.4-1.el7.noarch foreman-proxy-1.7.2.1-1.el7sat.noarch foreman-libvirt-1.7.2.4-1.el7sat.noarch ruby193-rubygem-foreman_gutterball-0.0.1.4-1.el7sat.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-client-1.0-1.noarch qe-sat6-rhel7.usersys.redhat.com-foreman-proxy-1.0-1.noarch ruby193-rubygem-foreman_hooks-0.3.7-2.el7sat.noarch Created a user with limited permissions to check all the limited resources availiable
This bug is slated to be released with Satellite 6.1.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2015:1592