Description of problem: When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product. Version-Release number of selected component (if applicable): Red Hat Satellite 6.2.10 How reproducible: Every time. Steps to Reproduce: 1. Create a new user. 2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products hammer> role filters --id 22 ----|------------------|---------------------|------------|----------|-------------- ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS ----|------------------|---------------------|------------|----------|-------------- 177 | Katello::Product | none | yes | prodview | view_products 178 | Katello::Product | name = puppet-prod | no | prodview | edit_products ----|------------------|---------------------|------------|----------|-------------- 3. After this try to remove the yum package from the repository in the product where user has only view rights. hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1 Repository content removed Actual results: The user is allowed to remove the content from the product repositories even when it has view only access. Expected results: The user should not be allowed to remove the content from the product repositories where it has view only access.
Created redmine issue http://projects.theforeman.org/issues/20409 from this bug
Closing this due to duplication. See 1410916 for the details about what's causing this problem and tracking the resolution. *** This bug has been marked as a duplicate of bug 1410916 ***