Bug 114879 - 'Edit Item' privilege allows 'Delete Item'
Summary: 'Edit Item' privilege allows 'Delete Item'
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other   
(Show other bugs)
Version: nightly
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Berrange
QA Contact: Jon Orris
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-02-03 22:01 UTC by Jon Orris
Modified: 2007-04-18 17:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-04-06 08:33:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Jon Orris 2004-02-03 22:01:51 UTC
Description of problem:
@40017/Oracle

Granting a user the 'Edit Item' privilege allows the user to delete
any item.

To Reproduce:
1) Create a new CMS User, add them to a role w/o 'Edit Item' or
'Delete Item'.
2) Create an item.
3) The user can't delete it; no delete link appears.
4) Grant 'Edit Item' to the user.
5) The user now sees a 'Delete' link next to the items, and can
successfully delete them.

From talking with Scott, it isn't 100% clear that this is a bug; this
may be allowed by implied permissions, but possibly the permissions
are too large. 

Dan, could you & Scott & whomever hash this out? If it isn't a bug, we
need to assign a documentation task to kwade or charjt.

Comment 1 Daniel Berrange 2004-04-06 08:33:24 UTC
I vote for not a bug, because there is such a fine line between delete
& edit - someone with edit privilege can just as easily delete all the
body text.


Note You need to log in before you can comment on or make changes to this bug.