Bug 1458722 - even with "Allow Organization Admin to manage Organization Configuration" you can change some organization config options
Summary: even with "Allow Organization Admin to manage Organization Configuration" you...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: 580
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
Assignee: Grant Gainey
QA Contact: Radovan Drazny
URL:
Whiteboard:
Depends On:
Blocks: sat58-errata
TreeView+ depends on / blocked
 
Reported: 2017-06-05 10:17 UTC by Jan Hutař
Modified: 2017-09-06 12:27 UTC (History)
3 users (show)

Fixed In Version: spacewalk-java-2.5.14-90-sat
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-06 12:27:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2645 0 normal SHIPPED_LIVE Moderate: satellite and spacewalk security and bug fix update 2017-09-06 16:26:43 UTC

Description Jan Hutař 2017-06-05 10:17:57 UTC 
Description of problem:
Even with "Allow Organization Admin to manage Organization Configuration" you can change some organization config options


Version-Release number of selected component (if applicable):
spacewalk-java-2.5.14-89.el6sat.noarch


How reproducible:
always


Steps to Reproduce:
1. Create organization and make sure "Allow Organization Admin to manage
   Organization Configuration" is disabled (org admin is not supposed to
   change e.g. "Enable Errata E-mail Notifications (for users belonging to
   this organization)"
     Admin -> Organizations -> <org> -> Configuration -> Allow Organization
       Admin to manage Organization Configuration 
2. Login as admin of that new organization and go to Overview -> Your
   Organization -> Configuration
3. Using web browser remove "disabled='disabled'" from "Enable Errata E-mail
   Notifications" checkbox and "Update Organization" button and change
   the settings (there will be "Size limit modification must be a valid non
   negative number." warning, but that does not seem to be relevant)


Actual results:
Setting gets changed. Looks like you are able to change every setting on the page this way.


Expected results:
Setting should not be changed.


Additional info:
Not sure if this qualifies as a security issue (theoretically you can cause bad things by disabling "Enable Errata E-mail Notifications" for your whole organization even when satellite admin did not granted you right to disable it).
Comment 1 Grant Gainey 2017-07-18 15:14:49 UTC 
spacewalk.github:
d9880a0e0dcf962b007f1204e8ee325e801a2253
Comment 4 Radovan Drazny 2017-08-09 14:02:20 UTC 
Reproduced on spacewalk-java-2.5.14-89.el6sat with the reproducer from the initial report. Using dev-tools in FF I was able to re-enable all disabled check boxes and the "update" button as well, and change the settings afterwards.

After updating to spacewalk-java-2.5.14-91.el6sat and trying the same procedure as before, I was able to re-enable all controls on the web page, but after pressing "update" button, all setting reverted back to the original state, as set by the global satellite admin. 

VERIFIED
Comment 6 errata-xmlrpc 2017-09-06 12:27:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:2645
Note You need to log in before you can comment on or make changes to this bug.