Description of problem:
Even with "Allow Organization Admin to manage Organization Configuration" you can change some organization config options
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create organization and make sure "Allow Organization Admin to manage
Organization Configuration" is disabled (org admin is not supposed to
change e.g. "Enable Errata E-mail Notifications (for users belonging to
Admin -> Organizations -> <org> -> Configuration -> Allow Organization
Admin to manage Organization Configuration
2. Login as admin of that new organization and go to Overview -> Your
Organization -> Configuration
3. Using web browser remove "disabled='disabled'" from "Enable Errata E-mail
Notifications" checkbox and "Update Organization" button and change
the settings (there will be "Size limit modification must be a valid non
negative number." warning, but that does not seem to be relevant)
Setting gets changed. Looks like you are able to change every setting on the page this way.
Setting should not be changed.
Not sure if this qualifies as a security issue (theoretically you can cause bad things by disabling "Enable Errata E-mail Notifications" for your whole organization even when satellite admin did not granted you right to disable it).
Reproduced on spacewalk-java-2.5.14-89.el6sat with the reproducer from the initial report. Using dev-tools in FF I was able to re-enable all disabled check boxes and the "update" button as well, and change the settings afterwards.
After updating to spacewalk-java-2.5.14-91.el6sat and trying the same procedure as before, I was able to re-enable all controls on the web page, but after pressing "update" button, all setting reverted back to the original state, as set by the global satellite admin.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.