Bug 1297415 - [RFE][L-8] Service dialogs created by the root tenant are not locked and can be modified or deleted by a child tenant.
Summary: [RFE][L-8] Service dialogs created by the root tenant are not locked and can ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.11.0
Assignee: Libor Pichler
QA Contact: Niyaz Akhtar Ansari
URL:
Whiteboard: service:dialog:cfme_tenant
Depends On:
Blocks: 1480786 1584677 1678450
TreeView+ depends on / blocked
 
Reported: 2016-01-11 13:15 UTC by Nikhil Gupta
Modified: 2019-12-13 15:16 UTC (History)
16 users (show)

Fixed In Version: 5.11.0.1
Doc Type: Enhancement
Doc Text:
Clone Of:
: 1678450 (view as bug list)
Environment:
Last Closed: 2019-12-13 15:16:59 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2139411 0 None None None 2016-01-26 08:56:41 UTC

Description Nikhil Gupta 2016-01-11 13:15:17 UTC
Description of problem:
Service dialogs created by the root tenant are not locked and can be modified or deleted by a child tenant.

Version-Release number of selected component (if applicable):
5.5.0.13.20151201120956_653c0d4

How reproducible:
Always

Steps to Reproduce:
1. In Automation domain, create the service dialogs by root tenant.
2. Service dialogs created by root tenant are not locked for child tenants.

Actual results:
It can be modified or deleted by child tenant.

Expected results:
Child tenant should not be accessible to service dialogs created by root tenant.

Comment 22 Nikhil Gupta 2018-06-18 05:59:16 UTC
Hi Team,

The subtenant can delete the service dialog created by another tenant from the different group. So this is not limited to root tenant.

Reproducing steps:

1. MyCompany/test1/Test1
2. MyCompany/test2/Test2
3. Create different groups for above tenant.
4. Create 2 Users(Test1 and Test2) for each of the above groups.
5. Login as Test1 user and create a service dialog(RHEL7).
6. Now, login as Test2 user and see RHEL7 service dialog is visible to this user as well. He can Edit, Copy and Delete this dialog. This should be restricted.

For customers, this is significant security problem when sharing a catalog.
Please try to fix this as soon as possible.

Regards,
Niks

Comment 32 CFME Bot 2018-11-15 13:12:49 UTC
New commit detected on ManageIQ/manageiq-ui-classic/hammer:

https://github.com/ManageIQ/manageiq-ui-classic/commit/f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b
commit f1e8c8a1a855f9a82bcd23b95e4d9eac3d0aae6b
Author:     Milan Zázrivec <mzazrivec>
AuthorDate: Fri Nov  2 07:32:22 2018 -0400
Commit:     Milan Zázrivec <mzazrivec>
CommitDate: Fri Nov  2 07:32:22 2018 -0400

    Merge pull request #4782 from lpichler/allow_any_product_feature_for_customization

    Add any product product feature for Customization in menu

    (cherry picked from commit a3a9ce7b53273e19f44dc042b3fe3950c050686a)

    https://bugzilla.redhat.com/show_bug.cgi?id=1297415

 app/presenters/menu/default_menu.rb | 2 +-
 spec/presenters/menu/default_menu_spec.rb | 8 +
 2 files changed, 9 insertions(+), 1 deletion(-)

Comment 36 Niyaz Akhtar Ansari 2019-05-15 09:39:23 UTC
Verified in Version 5.11.0.4.20190514210444_0c91ee1


Note You need to log in before you can comment on or make changes to this bug.