Bug 1467291 - [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.
[BUG] User with role containing "edit_products" filter on a specific product ...
Status: CLOSED DUPLICATE of bug 1410916
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Repositories (Show other bugs)
Unspecified Unspecified
medium Severity medium (vote)
: Unspecified
: --
Assigned To: Jonathon Turel
Katello QA List
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2017-07-03 06:16 EDT by vivpatil
Modified: 2017-08-21 16:07 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-08-14 12:27:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Foreman Issue Tracker 20409 None None None 2017-07-25 12:49 EDT

  None (edit)
Description vivpatil 2017-07-03 06:16:22 EDT
Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product. 

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
177 | Katello::Product | none                | yes        | prodview | view_products
178 | Katello::Product | name =  puppet-prod | no         | prodview | edit_products

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.
Comment 2 Jonathon Turel 2017-07-25 12:49:41 EDT
Created redmine issue http://projects.theforeman.org/issues/20409 from this bug
Comment 3 Jonathon Turel 2017-08-14 12:27:33 EDT
Closing this due to duplication. See 1410916 for the details about what's causing this problem and tracking the resolution.

*** This bug has been marked as a duplicate of bug 1410916 ***

Note You need to log in before you can comment on or make changes to this bug.