Bug 1317868 - Unauthorized user can remove host parameter
Summary: Unauthorized user can remove host parameter
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.1.7
Hardware: Unspecified
OS: Unspecified
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Peter Ondrejka
Depends On:
TreeView+ depends on / blocked
Reported: 2016-03-15 12:00 UTC by Kenny Tordeurs
Modified: 2020-03-11 15:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-10-26 12:25:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
role_filters (87.14 KB, image/png)
2016-03-15 12:00 UTC, Kenny Tordeurs
no flags Details
host_parameters (64.07 KB, image/png)
2016-03-15 12:01 UTC, Kenny Tordeurs
no flags Details
host_parameters_postfix (6.64 KB, image/png)
2016-10-10 13:38 UTC, Peter Ondrejka
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2108 0 normal SHIPPED_LIVE Satellite 6.2.3 Async Bug Release 2016-10-26 16:21:52 UTC

Description Kenny Tordeurs 2016-03-15 12:00:37 UTC
Created attachment 1136564 [details]

Description of problem:
Defined a Role which allows user to Edit host information (organization, host group, etc...).

On "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Version-Release number of selected component (if applicable):
Satellite 6.1.7

How reproducible:

Steps to Reproduce:
1. Defined a Role which allows user to Edit host information (organization, host group, etc...).
2. Go to a host and go to the "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Actual results:
Able to remove a parameter from a host.

Expected results:
Deny removing parameter and remove the "Remove parameter" button from the page

Additional info:

Comment 1 Kenny Tordeurs 2016-03-15 12:01:03 UTC
Created attachment 1136565 [details]

Comment 5 Marek Hulan 2016-08-15 11:18:44 UTC
I can't reproduce on 6.2.0, you need a filter for resource Parameter and a permission called "destroy_params" to see the cross next to remove.

Comment 6 Peter Ondrejka 2016-10-10 13:37:23 UTC
Comment #5 confirmed on satellite-6.2.3-1.0, not possible to delete, however I wonder why display the "remove" string (see attachment) if it can't do anything? I suppose empty space under Actions would be more user-friendly.

Comment 7 Peter Ondrejka 2016-10-10 13:38:33 UTC
Created attachment 1208875 [details]

Comment 8 Marek Hulan 2016-10-12 09:53:55 UTC
Peter, we tend to display actions that are not allowed so it's less confusing for user why sometimes see the link and sometimes now (e.g. if in one table they can see 2 params but can only delete one of them because of granular filter). If user does not have destroy permission for any parameter, the "destroy" is hidden for all of them. In this case it might be more confusing so if you feel this is a bug, we can probably hide it completely. Since this is already ON_QA, I'd suggest reporting a new BZ for that.

Comment 9 Peter Ondrejka 2016-10-12 11:22:30 UTC
OK, if this is a policy and not some forgotten element, than be it. Moving to verified as per comment 6.

Comment 10 Marek Hulan 2016-10-12 12:31:29 UTC
We have helpers for both, so it's a matter of specific page really.

Comment 12 errata-xmlrpc 2016-10-26 12:25:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.