Description of problem: Service items are visible for tag restricted user Version-Release number of selected component (if applicable): 5.8.0.14 How reproducible: 100% Steps to Reproduce: 1. Create role1(without restriction) 2. Create group1 with role1 and any tag 3. Create user1 and assign group1 4. Create catalog and service item (mark "Display in catalog" checkbox) 5. Login to SSUI as user1 6. Open Service Catalog tab Actual results: Service item is visible for restricted user Expected results: Service item should not be visible for restricted user, in this case only tagged items should be visible for user Additional info: User cannot open or order visible services
If user1 is being assigned group1, which is assigned an unrestricted role, wouldn't user1 seeing the service item be the expected behavior? Oh or is the restricted user, user2? What are the restrictions placed on this user?
(In reply to Allen W from comment #2) > If user1 is being assigned group1, which is assigned an unrestricted role, > wouldn't user1 seeing the service item be the expected behavior? > Oh or is the restricted user, user2? What are the restrictions placed on > this user? Please assign tag to group1, and if any service doesn't have the same tag as group1, user should not see any services. You can check it on my appliance https://10.8.199.14 with user: user1, password:111 I have 4 service items created and none of them have the tag assigned.
A VM! the best gift of all, thanks will check it out!
Having a real tough time understanding this one, any chance we could do a bluejeans session? Looking at Access Control, don't see any groups or users, are these LDAP records? Not able to see what tag is assigned to group1. Also I see no services in the SUI for the user1 account you posted, 4 service catalogs, but no services.
(In reply to Allen W from comment #5) > Having a real tough time understanding this one, any chance we could do a > bluejeans session? Looking at Access Control, don't see any groups or > users, are these LDAP records? Not able to see what tag is assigned to > group1. Also I see no services in the SUI for the user1 account you posted, > 4 service catalogs, but no services. Lets do bluejeans session: https://bluejeans.com/u/rbabyuk/ I am there already
Good news bad news on this. The bad news is, if a user, without appropriate tag to view a service template(s), queries the service_catalogs endpoint, they can see EVERYTHING!!!!!! (this is an api hiccup tho). Quick steps to reproduce in the context of this bz, checkout: `https://10.8.199.14/api/service_templates` with (user1 - 111) nothing! Yay! Now checkout `https://10.8.199.14/api/service_catalogs?expand=resources,service_templates` same user/creds SEE STUFF that service_template stuff, no bueno :( The good news is, there is already a fix out there, a merged pr that just has to be backported to resolve this issue `https://github.com/ManageIQ/manageiq-ui-service/pull/741` It goes back to using the service_templates endpoint. SO POWERS THAT BE. You decide, do we backport? save the day?