Created attachment 1269322 [details]
Proposed patch

Acknowledgments:

Name: Bert Stel (SUSE)

Hello Adam,

the proposed patch does not seem to fix anything. If you have a reproducer will  you mind to share it with us?

The reason given to me by our maintainer is:

the select previously will always report success as a dictionary is returned (element size 1). the patch changes it to count the entries in this dictionary instead.

can you contact our developer
Can Bulut Bayburt ( can.bulut.bayburt@suse.com )
 
for more information?

Steps to Reproduce:
1. install Satellite / Spacewalk server
2. create Admin user
3. create system group Group1
4. create User1, standard (non-admin) user, make it Group1 administrator
5. create User2, standard (non-admin) user
6. create User3, admin user, and disable it
7. register a system into Satellite / Spacewalk and add it to Group1
8. on the system use rhn-channel to add/remove chnnels as user Admin, User1, User2, User3

Actual results:
all user can add/remove channels

Expected results:
only Admin and User1 can manipulate channels

Additional info:
All users, group and server belong to the same org

Statement:

This issue affects the versions of spacewalk-backend as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

does this mean you are not going to assign a CVE?

Has been an embargo date decided already?

This issue has been addressed in the following products:

  Red Hat Satellite 5.7
  Red Hat Satellite 5.6

Via RHSA-2017:1259 https://access.redhat.com/errata/RHSA-2017:1259