Bug 114879 - 'Edit Item' privilege allows 'Delete Item'
Summary: 'Edit Item' privilege allows 'Delete Item'
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise CMS
Classification: Retired
Component: other
Version: nightly
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Berrangé
QA Contact: Jon Orris
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-02-03 22:01 UTC by Jon Orris
Modified: 2007-04-18 17:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-04-06 08:33:24 UTC
Embargoed:

Attachments (Terms of Use)

Description Jon Orris 2004-02-03 22:01:51 UTC 
Description of problem:
@40017/Oracle

Granting a user the 'Edit Item' privilege allows the user to delete
any item.

To Reproduce:
1) Create a new CMS User, add them to a role w/o 'Edit Item' or
'Delete Item'.
2) Create an item.
3) The user can't delete it; no delete link appears.
4) Grant 'Edit Item' to the user.
5) The user now sees a 'Delete' link next to the items, and can
successfully delete them.

From talking with Scott, it isn't 100% clear that this is a bug; this
may be allowed by implied permissions, but possibly the permissions
are too large. 

Dan, could you & Scott & whomever hash this out? If it isn't a bug, we
need to assign a documentation task to kwade or charjt.
Comment 1 Daniel Berrangé 2004-04-06 08:33:24 UTC 
I vote for not a bug, because there is such a fine line between delete
& edit - someone with edit privilege can just as easily delete all the
body text.
Note You need to log in before you can comment on or make changes to this bug.