1450839 – Restricted user can see vm/instance from different groups which have tags from users group

Bug 1450839 - Restricted user can see vm/instance from different groups which have tags from users group

Summary: Restricted user can see vm/instance from different groups which have tags fro...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	Appliance
Sub Component:
Version:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	GA
Target Release:	5.9.0
Assignee:	Libor Pichler
QA Contact:	Dave Johnson
Docs Contact:
URL:
Whiteboard:	report:tag:rbac
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-05-15 09:30 UTC by Ruslana Babyuk
Modified:	2018-04-20 16:28 UTC (History)
CC List:	9 users (show)
Fixed In Version:	5.9.0.1
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-03-01 13:12:35 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1570119	0	high	CLOSED	Inconsistency in group/tag restriction - users groups	2021-06-10 15:55:43 UTC
Red Hat Product Errata	RHSA-2018:0380	0	normal	SHIPPED_LIVE	Moderate: Red Hat CloudForms security, bug fix, and enhancement update	2018-03-01 18:37:12 UTC

Internal Links: 1570119

Description Ruslana Babyuk 2017-05-15 09:30:00 UTC

Description of problem:
User can see items from different groups but tagged by users group tag

Version-Release number of selected component (if applicable):
5.7.1, 5.7.2, 5.8.0

How reproducible:
100%

Steps to Reproduce:
1. As admin, create 2 tenants(tenant1, tenant2)
2. Create role with "Only group and user owned" restriction (user_role)
3. Add 2 groups with 'user_role' role and set 2 different tags (group1->tag1, group2->tag2)
4. Create 2 users, and assign to groups (group1-> user1, group2->user2)
5. Add provider (infra or cloud)
6. Set ownership for 2 instances (instance1->group1, instance2->group2)
7. Set tags for instances (instance1->tag2, instance2->tag1)
8. Get content for "Recently Discovered Vms" widget
9. Login as user1 or user2, navigate to dashboard

Actual results:
Widget displays 2 instances

Expected results:
With such configuration, user should not see any instances, as both groups also have tag restriction

Additional info:

Comment 8 errata-xmlrpc 2018-03-01 13:12:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0380

Note You need to log in before you can comment on or make changes to this bug.