1467291 – [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1467291 - [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.

Summary: [BUG] User with role containing "edit_products" filter on a specific product ...

Keywords:
Status:	CLOSED DUPLICATE of bug 1410916
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Repositories
Sub Component:
Version:	6.2.10
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Jonathon Turel
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-03 10:16 UTC by vivpatil
Modified:	2023-12-15 15:56 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-14 16:27:33 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	20409	0	None	None	None	2017-07-25 16:49:43 UTC

Description vivpatil 2017-07-03 10:16:22 UTC

Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product. 

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID  | RESOURCE TYPE    | SEARCH              | UNLIMITED? | ROLE     | PERMISSIONS  
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none                | yes        | prodview | view_products
178 | Katello::Product | name =  puppet-prod | no         | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.

Comment 2 Jonathon Turel 2017-07-25 16:49:41 UTC

Created redmine issue http://projects.theforeman.org/issues/20409 from this bug

Comment 3 Jonathon Turel 2017-08-14 16:27:33 UTC

Closing this due to duplication. See 1410916 for the details about what's causing this problem and tracking the resolution.

*** This bug has been marked as a duplicate of bug 1410916 ***

Note You need to log in before you can comment on or make changes to this bug.