Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1429590

Summary: Managing repositories with their id via hammer does not respect the role filters
Product: Red Hat Satellite Reporter: Christian Marineau <cmarinea>
Component: RepositoriesAssignee: Brad Buckingham <bbuckingham>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.2.7CC: andrew.schofield, bbuckingham, bkearney, dlezzoum, jcallaha, kabbott, lzap, mhulan, tbrisker
Target Milestone: UnspecifiedKeywords: Security, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-05-11 16:07:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1434106    

Description Christian Marineau 2017-03-06 16:20:36 UTC 
Description of problem:
After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

Version-Release number of selected component (if applicable):
6.2.7

How reproducible:
100%

Steps to Reproduce:
1. Have repositories from more than 1 Product, by example:
     Red Hat Enterprise Linux Server
     Red Hat Satellite
     Custom_Product 
   
   Optional -> You can also have 2 Organization and only allow 1 of them through the filter:
     MyOrg
     OtherOrg 

2. Create a new role "Custom_bug_role"

3. Create the following 2 filters for that role
   Filter 1
     Resource type: Organization
     Permission: view_organizations
     Search filter: name = "MyOrg"

   Filter 2
     Resource type: Product and Repositories
     Permission: view_products, edit_products, sync_products
     Search filter: name = "Red Hat Enterprise Linux Server"

4. Create a test user and assign the custom role
     Username: Test_bug_user
     Role: Custom_bug_role

5. With hammer, list the repository using the test user credentials
     A. Listing the repositories works as expected, only "Red Hat Enterprise Linux Server" repositories will be displayed:
       # hammer -u Test_bug_user -p testbug repository list --organization MyOrg
       [...]
       33 | Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.1           | Red Hat Enterprise Linux Server | yum
       27 | Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64           | Red Hat Enterprise Linux Server | yum
       [...]
   
     B. Showing repository information using it's ID allows the user to see any repository (from any Product or any Organisation), this is not expected:
        # hammer -u Test_bug_user -p testbug repository info --id 62
          ID:                 62
          Name:               Custom_Repo
          Label:              Custom_Repo
          Organization:       OtherOrg
          Red Hat Repository: no
          Content Type:       yum
          [...]

     C. Uploading a package to a any repository is also possible using its ID (from any Product or any Organisation), this is not expected and it is a security issue:
        # hammer -u Test_bug_user -p testbug repository upload-content --id 62 --path test.rpm 
        Successfully uploaded file 'test.rpm'.

It seems like when we specify --product --name --organization, the permission are applied correctly. However, it looks like using their id bypass this.

Actual results:
When using repository id, we can show info from any repository and upload new package to them.

Expected results:
Have the role filters applied on the resource whether we are using the name or the id

Additional info:
This has been identity as a security issue by the customer, as unexpected user can alter the repository content.
Comment 2 Brad Buckingham 2017-03-08 14:51:21 UTC 
Created redmine issue http://projects.theforeman.org/issues/18838 from this bug
Comment 3 Brad Buckingham 2017-03-08 15:12:59 UTC 
Proposed PR upstream: https://github.com/Katello/katello/pull/6659
Comment 4 Djebran Lezzoum 2017-05-11 15:16:47 UTC 
perhaps this has the same root cause with bug https://bugzilla.redhat.com/show_bug.cgi?id=1410916
Comment 5 Djebran Lezzoum 2017-05-11 16:07:19 UTC 

*** This bug has been marked as a duplicate of bug 1410916 ***