Bug 1428545
| Summary: | If you're an admin of a sub org and you try modifying the orgs you have access to, it will incorrectly say successful | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Peter Gervase <pgervase> |
| Component: | Users & Roles | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED ERRATA | QA Contact: | Jonathon Turel <jturel> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.2.6 | CC: | arahaman, bbuckingham, dhlavacd, jcallaha, jturel, mhulan, pgervase |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-02-21 16:54:17 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1545876 | ||
Thanks for the report. This has been already fixed and will be delivered with Satellite 6.3. It was fixed as part of a big change that modified the way we protect attributes - "strong parameters". The change was done as part of http://projects.theforeman.org/issues/3917 Unfortunately the change is too big to backport to 6.2. For the reference, we used to clear :organization_ids and :location_ids parameters when user was updated in app/controllers/concerns/foreman/controller/users_mixin.rb (method clear_params_on_update), therefore the resulting set of attributes didn't contain the change and the command result looked as successful because nothing was even tried to be changed. To see the change, one can run following git show 12612809c5deb885b13ceaf36b6a147c21688eb5 app/controllers/concerns/foreman/controller/users_mixin.rb I kindly ask QE to verify when they test 6.3 release. For QE during verification, if the user does not have assign_organization permission for the organization he or she tries to assign, following error message is displayed Could not update the user: Organization ids Invalid organizations selection, you must select at least one of yours I was able to verify this successfully in Sat 6.3 Snap 11 => satellite-6.3.0-16.0.beta.el7sat.noarch
I created a new user and make them an (Foreman) Admin:
hammer -u admin -p changeme user info --login suborguser
Id: 5
Login: suborguser
Name:
Email: jturel
Admin: yes
Effective admin: yes
Authorized by: Internal
Locale: default
Timezone:
Last login: 2017/08/16 20:59:07
Description:
Default organization:
Default location:
Roles:
Default role
User groups:
Inherited User groups:
Organizations:
suborg
Created at: 2017/08/16 19:20:35
Updated at: 2017/08/16 20:58:56
As that user I attempted to add an additional role:
hammer -u suborguser -p changeme user update --login suborguser --organizations 'Default Organization,suborg'
User [suborguser] updated
Got success with exit code 0.
Tested negative case by taking away suborg user's admin access:
hammer -u admin -p changeme user info --login suborguser
Id: 5
Login: suborguser
Name:
Email: jturel
Admin: no
Effective admin: no
Authorized by: Internal
Locale: default
Timezone:
Last login: 2017/08/16 21:13:53
Description:
Default organization:
Default location:
Roles:
Default role
User groups:
Inherited User groups:
Organizations:
Default Organization
suborg
Created at: 2017/08/16 19:20:35
Updated at: 2017/08/16 21:20:16
I could not join the Default Organization:
hammer -u suborguser -p changeme user update --login suborguser --organizations 'Default Organization,suborg'
Could not update the user:
Forbidden - server refused to process the request
When I gave suborguser the view_users, view_organizations, and assign_organization permissions they could take themselves out of the default org but could not add themselves back afterward which makes sense to me.
hammer -u suborguser -p changeme user update --login suborguser --organizations 'suborg'
User [suborguser] updated
hammer -u suborguser -p changeme user update --login suborguser --organizations 'Default Org,suborg'
Could not update the user:
Error: one of organizations not found
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.
>
> For information on the advisory, and where to find the updated files, follow the link below.
>
> If the solution does not work for you, open a new bug report.
>
> https://access.redhat.com/errata/RHSA-2018:0336
|
Description of problem: If you're an admin of a sub org and you try modifying the orgs you have access to, when you hit submit, the webui will say successful. You then go to verify that, and you're still in the org you've been assigned to. The webui shouldn't say successful. This is also the case with hammer: [root@prod rpm]# hammer user info --login pgsuborg [Foreman] Password for admin: Id: 19 Login: pgsuborg Name: Email: pgsuborg@localhost Admin: yes Authorized by: Internal Locale: default Timezone: Last login: 2017/03/02 19:24:46 Default organization: Default location: Roles: Anonymous User groups: Organizations: pgsuborg Created at: 2017/03/02 16:58:47 Updated at: 2017/03/02 19:24:46 [root@prod rpm]# hammer -u pgsuborg user update --login pgsuborg --organizations prod [Foreman] Password for pgsuborg: User [pgsuborg] updated [root@prod rpm]# echo $? 0 [root@prod rpm]# hammer user info --login pgsuborg [Foreman] Password for admin: Id: 19 Login: pgsuborg Name: Email: pgsuborg@localhost Admin: yes Authorized by: Internal Locale: default Timezone: Last login: 2017/03/02 19:25:54 Default organization: Default location: Roles: Anonymous User groups: Organizations: pgsuborg Created at: 2017/03/02 16:58:47 Updated at: 2017/03/02 19:25:54 [root@prod rpm]# Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. Create an admin user for a suborg 2. As that user in either the webui or hammer, try modifying yourself so you are in a different or an additional org 3. Actual results: The results show successful, but it really isn't. Expected results: A correct permissions denied error Additional info: