Bug 1375713 - CloudForms 4.1 Child tenant user able to delete catalog Item from parent tenant user in UI
Summary: CloudForms 4.1 Child tenant user able to delete catalog Item from parent tena...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Appliance
Version: 5.6.0
Hardware: All
OS: All
high
medium
Target Milestone: GA
: 5.11.0
Assignee: Joe Rafaniello
QA Contact: Pavol Kotvan
URL:
Whiteboard: catalog:tenant
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-13 20:00 UTC by myoder
Modified: 2021-09-09 11:56 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-01 14:13:56 UTC
Category: Bug
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)

Description myoder 2016-09-13 20:00:32 UTC
Description of problem: A user with the child tenant role, is able to delete/edit a catalog item created by an admin user attached to a parent tenant within the web UI.


Version-Release number of selected component (if applicable): CloudForms 4.1


How reproducible: Always


Steps to Reproduce:
1. Create a catalog item with admin user attached to the parent tenant
2. Create a new user as a child tenant with an admin role.
3. Have the user attached to the child tenant delete the catalog item created by the admin.

Actual results: Child tenant user is allowed to edit/remove the catalog item.


Expected results: Child tenant should not have access to edit/remove the catalog of the parent tenant.


Additional info:

Comment 5 Marianne Feifer 2017-10-03 18:20:28 UTC
John, Looks like there was a needinfo for you way back. Not sure where this stands.

Comment 6 Marianne Feifer 2017-10-03 18:20:29 UTC
John, Looks like there was a needinfo for you way back. Not sure where this stands.

Comment 8 Joe Rafaniello 2018-07-31 17:15:12 UTC
I believe this is by design:

'ServiceTemplate'        => :ancestor_ids,

https://github.com/ManageIQ/manageiq/blob/2a66cb59e26816c7296896620b5b7731b350943d/lib/rbac/filterer.rb#L114

You're able to see Catalog items of parent and ancestor tenants.  If your role has permission to modify catalog items / delete them, and you can to see ones from ancestor tenants, then you can delete them.

Brad, is this still the desired functionality?


Note You need to log in before you can comment on or make changes to this bug.