Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1317868 - Unauthorized user can remove host parameter
Unauthorized user can remove host parameter
Status: CLOSED ERRATA
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Users & Roles (Show other bugs)
6.1.7
Unspecified Unspecified
high Severity high (vote)
: 6.2.3
: Unused
Assigned To: satellite6-bugs
Peter Ondrejka
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-15 08:00 EDT by Kenny Tordeurs
Modified: 2017-09-27 11:22 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-26 08:25:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
role_filters (87.14 KB, image/png)
2016-03-15 08:00 EDT, Kenny Tordeurs 		no flags Details
host_parameters (64.07 KB, image/png)
2016-03-15 08:01 EDT, Kenny Tordeurs 		no flags Details
host_parameters_postfix (6.64 KB, image/png)
2016-10-10 09:38 EDT, Peter Ondrejka 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2108 normal SHIPPED_LIVE Satellite 6.2.3 Async Bug Release 2016-10-26 12:21:52 EDT

  None (edit)
Description Kenny Tordeurs 2016-03-15 08:00:37 EDT 
Created attachment 1136564 [details]
role_filters

Description of problem:
Defined a Role which allows user to Edit host information (organization, host group, etc...).

On "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Version-Release number of selected component (if applicable):
Satellite 6.1.7

How reproducible:
100%

Steps to Reproduce:
1. Defined a Role which allows user to Edit host information (organization, host group, etc...).
2. Go to a host and go to the "Parameters" tab, the user cannot edit or add parameter, but he can Remove Host parameters.

Actual results:
Able to remove a parameter from a host.

Expected results:
Deny removing parameter and remove the "Remove parameter" button from the page

Additional info:
Comment 1 Kenny Tordeurs 2016-03-15 08:01 EDT 
Created attachment 1136565 [details]
host_parameters
Comment 5 Marek Hulan 2016-08-15 07:18:44 EDT 
I can't reproduce on 6.2.0, you need a filter for resource Parameter and a permission called "destroy_params" to see the cross next to remove.
Comment 6 Peter Ondrejka 2016-10-10 09:37:23 EDT 
Comment #5 confirmed on satellite-6.2.3-1.0, not possible to delete, however I wonder why display the "remove" string (see attachment) if it can't do anything? I suppose empty space under Actions would be more user-friendly.
Comment 7 Peter Ondrejka 2016-10-10 09:38 EDT 
Created attachment 1208875 [details]
host_parameters_postfix
Comment 8 Marek Hulan 2016-10-12 05:53:55 EDT 
Peter, we tend to display actions that are not allowed so it's less confusing for user why sometimes see the link and sometimes now (e.g. if in one table they can see 2 params but can only delete one of them because of granular filter). If user does not have destroy permission for any parameter, the "destroy" is hidden for all of them. In this case it might be more confusing so if you feel this is a bug, we can probably hide it completely. Since this is already ON_QA, I'd suggest reporting a new BZ for that.
Comment 9 Peter Ondrejka 2016-10-12 07:22:30 EDT 
OK, if this is a policy and not some forgotten element, than be it. Moving to verified as per comment 6.
Comment 10 Marek Hulan 2016-10-12 08:31:29 EDT 
We have helpers for both, so it's a matter of specific page really.
Comment 12 errata-xmlrpc 2016-10-26 08:25:45 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:2108
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.