Description of problem: Restrict edit_params & create_params to set host parameters only on hosts that user owns Version-Release number of selected component (if applicable): 6.2.12 How reproducible: everytime Steps to Reproduce: 1. Define that filter Host build_hosts, create_hosts lifecycle_environment = "SomeEnv" Host destroy_hosts, edit_hosts, view_hosts owner = <someuser> Host power_hosts owner = <someuser> Parameter edit_params, create_params none Domain view_domains name = <somedomain> 2.Create new parameters on a hostname that is NOT owned by someuser https://satellite/api/hosts/hostname/parameters with json for example. { "name": "groups", "value": "<group1>" } 3. Actual results: POST is succesful even that hostname is not belonging to someuser and not visible on All hosts page by that user Expected results: User is restricted to change/add parameters only on his own hosts Additional info:
Thanks Dmitry for report, I believe this is a duplicate of BZ 1384035 which tracks it not only for parameters but all resources. I'm marking it as a duplicate, please reattach the case. If I misunderstood, please let me know or reopen. *** This bug has been marked as a duplicate of bug 1384035 ***