Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 1192484 - user with limited rights can see Content -> Errata menu item but it produces "403 - Permission Denied" page only
user with limited rights can see Content -> Errata menu item but it produces ...
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
6.1.0
Unspecified Unspecified
unspecified Severity high (vote)
: Unspecified
: Unused
Assigned To: Eric Helms
Corey Welton
http://projects.theforeman.org/issues...
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-13 08:50 EST by Jan Hutař
Modified: 2017-02-23 15:31 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-12 01:25:36 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
screenshot in compose6 (36.43 KB, image/png)
2015-03-11 15:19 EDT, Corey Welton
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 10147 None None None 2016-04-22 12:28 EDT
Red Hat Product Errata RHSA-2015:1592 normal SHIPPED_LIVE Important: Red Hat Satellite 6.1.1 on RHEL 6 2015-08-12 05:04:35 EDT

  None (edit)
Description Jan Hutař 2015-02-13 08:50:25 EST
Description of problem:
User with limited rights can see Content -> Errata menu item but it produces "403 - Permission Denied" page only. Context "Default Organization@Default Location" is selected.


Version-Release number of selected component (if applicable):
Satellite-6.1.0-RHEL-6-20150210.0-Satellite-x86_64


How reproducible:
always


Steps to Reproduce:
1. created a role "role1" via admin user
2. added following permissions to "role1":
     content-view resource type - create, view and publish CV
     product resource type - view product
     activation-key resource type - create, update, destroy, view
     lifecycle env resource type - view
3. created a user user1 and assign role1 to this user
4. logout with admin and login with user1


Actual results:
One of the items user1 can see in menu "Content" is "Errata". Clicking on it generates 403 http error page

  403 - Permission Denied
  You are not authorised to perform this action.
  Please request the required privileges from an administrator.


Expected results:
"Errata" menu item should not be there.


Additional info:
Probably not all of the permissions from 2nd step of "Steps to Reproduce" are needed to reproduce, but this was reported when testing bug 1112234 and I had this setup handy.
Comment 1 RHEL Product and Program Management 2015-02-13 08:53:22 EST
Since this issue was entered in Red Hat Bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.
Comment 3 Eric Helms 2015-02-25 19:00:31 EST
I am not able to reproduce this with the latest.
Comment 4 Jan Hutař 2015-02-26 04:53:10 EST
I have followed the reproducer and I can still see "Content -> Errata" when logged in as "user1"
Comment 6 Eric Helms 2015-03-09 09:36:08 EDT
Testing this on latest I am not able to reproduce this issue.
Comment 9 Corey Welton 2015-03-11 15:19:10 EDT
This does indeed stil take place in Satellite-6.1.0-RHEL-6-20150310.0


Adding the specific roles as referenced in initial report, and creating a user which has those roles only, I get top-level menu items of

Monitor
Content

Within Content, there is definitely an Errata tab, which leads to a 403.  Will be attaching a screenshot
Comment 10 Corey Welton 2015-03-11 15:19:50 EDT
Created attachment 1000623 [details]
screenshot in compose6
Comment 13 Corey Welton 2015-05-01 17:00:01 EDT
Verified in Satellite-6.1.0-RHEL-7-20150424.0
Comment 14 Bryan Kearney 2015-08-11 09:29:43 EDT
This bug is slated to be released with Satellite 6.1.
Comment 15 errata-xmlrpc 2015-08-12 01:25:36 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2015:1592

Note You need to log in before you can comment on or make changes to this bug.