Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 114879 - 'Edit Item' privilege allows 'Delete Item'
'Edit Item' privilege allows 'Delete Item'
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Berrange
Jon Orris
Depends On:
  Show dependency treegraph
Reported: 2004-02-03 17:01 EST by Jon Orris
Modified: 2007-04-18 13:02 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-06 04:33:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jon Orris 2004-02-03 17:01:51 EST
Description of problem:

Granting a user the 'Edit Item' privilege allows the user to delete
any item.

To Reproduce:
1) Create a new CMS User, add them to a role w/o 'Edit Item' or
'Delete Item'.
2) Create an item.
3) The user can't delete it; no delete link appears.
4) Grant 'Edit Item' to the user.
5) The user now sees a 'Delete' link next to the items, and can
successfully delete them.

From talking with Scott, it isn't 100% clear that this is a bug; this
may be allowed by implied permissions, but possibly the permissions
are too large. 

Dan, could you & Scott & whomever hash this out? If it isn't a bug, we
need to assign a documentation task to kwade or charjt.
Comment 1 Daniel Berrange 2004-04-06 04:33:24 EDT
I vote for not a bug, because there is such a fine line between delete
& edit - someone with edit privilege can just as easily delete all the
body text.

Note You need to log in before you can comment on or make changes to this bug.