RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1494870 - [RFE] Do not display user list in FreeIPA WebUI self-service
Summary: [RFE] Do not display user list in FreeIPA WebUI self-service
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-09-23 20:55 UTC by Anvar Kuchkartaev
Modified: 2019-02-18 21:08 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-18 21:08:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Anvar Kuchkartaev 2017-09-23 20:55:32 UTC 
Description of problem:
When accessing FreeIPA server web ui from any IPA user with lowest privileges in system it is visible two tabs, Users, OTP Tokens. If user clicks OTP Tokens tab and back to Users tab all users in enterprise are being listed to the unauthorized user.

Version-Release number of selected component (if applicable):
ipa-server-4.5.0-21.0.1.el7_4.1.2.x86_64

Steps to Reproduce:
1. Login to FreeIPA WebUI with any user with minimal privileges.
2. Click to OTP Tokens tab.
3. Click back to Users tab.

Actual results:
All users registered in FreeIPA server are visible.

Expected results:
I expect to see userlist only if the user is authorized to do it.
Comment 2 Petr Vobornik 2017-10-02 11:43:11 UTC 
By default users are authorized to see it because of system permissions, there is several permissions for just users:
  "System: Read User $SOMETHING"

To change the behavior, one can change "bind rule type" from "all", to "permission" and assign the permission to privileges+roles.

Other IPA objecs behave the same one. You can verify it by kiniting as normal user and issuing various -find and -show command in CLI.

I.e. it behaves as designed.
Comment 4 Petr Vobornik 2017-10-13 17:05:28 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7204
Comment 6 Rob Crittenden 2019-02-18 21:08:53 UTC 
I agree with Petr, closing as wontfix, it is working as designed.
Note You need to log in before you can comment on or make changes to this bug.