Red Hat Bugzilla – Bug 1458722
even with "Allow Organization Admin to manage Organization Configuration" you can change some organization config options
Last modified: 2017-09-06 08:27:53 EDT
Description of problem: Even with "Allow Organization Admin to manage Organization Configuration" you can change some organization config options Version-Release number of selected component (if applicable): spacewalk-java-2.5.14-89.el6sat.noarch How reproducible: always Steps to Reproduce: 1. Create organization and make sure "Allow Organization Admin to manage Organization Configuration" is disabled (org admin is not supposed to change e.g. "Enable Errata E-mail Notifications (for users belonging to this organization)" Admin -> Organizations -> <org> -> Configuration -> Allow Organization Admin to manage Organization Configuration 2. Login as admin of that new organization and go to Overview -> Your Organization -> Configuration 3. Using web browser remove "disabled='disabled'" from "Enable Errata E-mail Notifications" checkbox and "Update Organization" button and change the settings (there will be "Size limit modification must be a valid non negative number." warning, but that does not seem to be relevant) Actual results: Setting gets changed. Looks like you are able to change every setting on the page this way. Expected results: Setting should not be changed. Additional info: Not sure if this qualifies as a security issue (theoretically you can cause bad things by disabling "Enable Errata E-mail Notifications" for your whole organization even when satellite admin did not granted you right to disable it).
spacewalk.github: d9880a0e0dcf962b007f1204e8ee325e801a2253
Reproduced on spacewalk-java-2.5.14-89.el6sat with the reproducer from the initial report. Using dev-tools in FF I was able to re-enable all disabled check boxes and the "update" button as well, and change the settings afterwards. After updating to spacewalk-java-2.5.14-91.el6sat and trying the same procedure as before, I was able to re-enable all controls on the web page, but after pressing "update" button, all setting reverted back to the original state, as set by the global satellite admin. VERIFIED
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:2645