Bug 1410929 - Should not be able to create a product that does not match my permissions
Summary: Should not be able to create a product that does not match my permissions
Keywords:
Status: CLOSED DUPLICATE of bug 1384035
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: 1316897
TreeView+ depends on / blocked
 
Reported: 2017-01-06 21:13 UTC by Stuart Auchterlonie
Modified: 2017-04-25 16:18 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-09 09:48:43 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Stuart Auchterlonie 2017-01-06 21:13:09 UTC
Description of problem:

A user with limited permissions can create a product with any
name, even one that does not match the search filter

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

# hammer -u admin -p redhat role filters --id=22
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
ID  | RESOURCE TYPE           | SEARCH                                                          | UNLIMITED? | ROLE    | PERMISSIONS                                                                     
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
167 | Katello::Product        | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
168 | Katello::System         | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_content_hosts, edit_content_hosts                                          
169 | Katello::ContentView    | name ~ "Test_*" || name ~ "rhel7*"                              | no         | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
170 | Host                    | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no         | Limited | view_hosts, edit_hosts                                                          
171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA"                       | no         | Limited | view_host_collections, edit_host_collections                                    
172 | JobInvocation           | none                                                            | yes        | Limited | create_job_invocations, view_job_invocations                                    
173 | Katello::KTEnvironment  | name ~ Dev || name ~ QA                                         | no         | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
174 | Katello::ActivationKey  | name ~ ak_test                                                  | no         | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
176 | Organization            | none                                                            | yes        | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Login to the web ui as the limited user (with the above role)
and create a product with a name that doesn't match the search
filter. (ie. wedgie). 


Actual results:

This product (step #2) is then created, but the limited
user cannot remove it, since it doesn't match the filter.

Expected results:

The user cannot create the product with a name that does
not match the search filter

Additional info:

Comment 3 Marek Hulan 2017-01-09 09:48:43 UTC
I think this is a consequence of bz 1384035 so I'm marking it as a duplicate. If I misunderstood, please reopen. I'd also suggest linking the case and additional comments there. Thank you.

*** This bug has been marked as a duplicate of bug 1384035 ***


Note You need to log in before you can comment on or make changes to this bug.