Bug 114879 - 'Edit Item' privilege allows 'Delete Item'
Summary: 'Edit Item' privilege allows 'Delete Item'
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other   
(Show other bugs)
Version: nightly
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Daniel Berrange
QA Contact: Jon Orris
Depends On:
TreeView+ depends on / blocked
Reported: 2004-02-03 22:01 UTC by Jon Orris
Modified: 2007-04-18 17:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-04-06 08:33:24 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jon Orris 2004-02-03 22:01:51 UTC
Description of problem:

Granting a user the 'Edit Item' privilege allows the user to delete
any item.

To Reproduce:
1) Create a new CMS User, add them to a role w/o 'Edit Item' or
'Delete Item'.
2) Create an item.
3) The user can't delete it; no delete link appears.
4) Grant 'Edit Item' to the user.
5) The user now sees a 'Delete' link next to the items, and can
successfully delete them.

From talking with Scott, it isn't 100% clear that this is a bug; this
may be allowed by implied permissions, but possibly the permissions
are too large. 

Dan, could you & Scott & whomever hash this out? If it isn't a bug, we
need to assign a documentation task to kwade or charjt.

Comment 1 Daniel Berrange 2004-04-06 08:33:24 UTC
I vote for not a bug, because there is such a fine line between delete
& edit - someone with edit privilege can just as easily delete all the
body text.

Note You need to log in before you can comment on or make changes to this bug.