Bug 1317868 - Unauthorized user can remove host parameter
Summary: Unauthorized user can remove host parameter
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.7
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-15 12:00 UTC by Kenny Tordeurs
Modified: 2020-03-11 15:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-26 12:25:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
role_filters (87.14 KB, image/png)
2016-03-15 12:00 UTC, Kenny Tordeurs 		no flags Details
host_parameters (64.07 KB, image/png)
2016-03-15 12:01 UTC, Kenny Tordeurs 		no flags Details
host_parameters_postfix (6.64 KB, image/png)
2016-10-10 13:38 UTC, Peter Ondrejka 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2108 0 normal SHIPPED_LIVE Satellite 6.2.3 Async Bug Release 2016-10-26 16:21:52 UTC

Description Kenny Tordeurs 2016-03-15 12:00:37 UTC 
Created attachment 1136564 [details]
role_filters

Description of problem:
Defined a Role which allows user to Edit host information (organization, host group, etc...).

On "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Version-Release number of selected component (if applicable):
Satellite 6.1.7

How reproducible:
100%

Steps to Reproduce:
1. Defined a Role which allows user to Edit host information (organization, host group, etc...).
2. Go to a host and go to the "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Actual results:
Able to remove a parameter from a host.

Expected results:
Deny removing parameter and remove the "Remove parameter" button from the page

Additional info:
Comment 1 Kenny Tordeurs 2016-03-15 12:01:03 UTC 
Created attachment 1136565 [details]
host_parameters
Comment 5 Marek Hulan 2016-08-15 11:18:44 UTC 
I can't reproduce on 6.2.0, you need a filter for resource Parameter and a permission called "destroy_params" to see the cross next to remove.
Comment 6 Peter Ondrejka 2016-10-10 13:37:23 UTC 
Comment #5 confirmed on satellite-6.2.3-1.0, not possible to delete, however I wonder why display the "remove" string (see attachment) if it can't do anything? I suppose empty space under Actions would be more user-friendly.
Comment 7 Peter Ondrejka 2016-10-10 13:38:33 UTC 
Created attachment 1208875 [details]
host_parameters_postfix
Comment 8 Marek Hulan 2016-10-12 09:53:55 UTC 
Peter, we tend to display actions that are not allowed so it's less confusing for user why sometimes see the link and sometimes now (e.g. if in one table they can see 2 params but can only delete one of them because of granular filter). If user does not have destroy permission for any parameter, the "destroy" is hidden for all of them. In this case it might be more confusing so if you feel this is a bug, we can probably hide it completely. Since this is already ON_QA, I'd suggest reporting a new BZ for that.
Comment 9 Peter Ondrejka 2016-10-12 11:22:30 UTC 
OK, if this is a policy and not some forgotten element, than be it. Moving to verified as per comment 6.
Comment 10 Marek Hulan 2016-10-12 12:31:29 UTC 
We have helpers for both, so it's a matter of specific page really.
Comment 12 errata-xmlrpc 2016-10-26 12:25:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108
Note You need to log in before you can comment on or make changes to this bug.