Description of problem: A user with limited permissions can create a product with any name, even one that does not match the search filter Version-Release number of selected component (if applicable): 6.2.2 - 6.2.6 How reproducible: 100% Steps to Reproduce: 1. The role assigned to the user has the following permission set # hammer -u admin -p redhat role filters --id=22 ----|-------------------------|-----------------------------------------------------------------|------------|---------|--------------------------------------------------------------------------------- ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS ----|-------------------------|-----------------------------------------------------------------|------------|---------|--------------------------------------------------------------------------------- 167 | Katello::Product | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_products, create_products, edit_products, destroy_products, sync_product... 168 | Katello::System | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_content_hosts, edit_content_hosts 169 | Katello::ContentView | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_content_views, create_content_views, edit_content_views, destroy_content... 170 | Host | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_hosts, edit_hosts 171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA" | no | Limited | view_host_collections, edit_host_collections 172 | JobInvocation | none | yes | Limited | create_job_invocations, view_job_invocations 173 | Katello::KTEnvironment | name ~ Dev || name ~ QA | no | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c... 174 | Katello::ActivationKey | name ~ ak_test | no | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a... 176 | Organization | none | yes | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip... ----|-------------------------|-----------------------------------------------------------------|------------|---------|--------------------------------------------------------------------------------- 2. Login to the web ui as the limited user (with the above role) and create a product with a name that doesn't match the search filter. (ie. wedgie). Actual results: This product (step #2) is then created, but the limited user cannot remove it, since it doesn't match the filter. Expected results: The user cannot create the product with a name that does not match the search filter Additional info:
I think this is a consequence of bz 1384035 so I'm marking it as a duplicate. If I misunderstood, please reopen. I'd also suggest linking the case and additional comments there. Thank you. *** This bug has been marked as a duplicate of bug 1384035 ***