Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1618644

Summary: Switch menu items by user role
Product: OpenShift Container Platform Reporter: Takayuki Konishi <tkonishi>
Component: Management ConsoleAssignee: Samuel Padgett <spadgett>
Status: CLOSED WONTFIX QA Contact: Yadan Pei <yapei>
Severity: low Docs Contact:
Priority: low    
Version: 3.10.0CC: aos-bugs, deads, jokerman, mhild, mmccomas
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 20:34:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
delete modal none

Description Takayuki Konishi 2018-08-17 08:06:50 UTC 
Description of problem:
It's not clear whether a user can delete a project or not on Management console. Especially, it's difficult to make out it in a project I don't own.

Version-Release number of selected component (if applicable): 3.10

How reproducible: 100%

Steps to Reproduce:
1. Create 2 users (userA userB)
2. userA create a project
3. userA add userB as a view user ( oc adm policy add-role-to-user view userB )
4. login to Management console as userB
5. click project options

Actual results:
userB can select "Edit Project" and "Delete Project". Regarding "Delete Project", userB can confirm it's prohibited after click "Delete" button.

Expected results:
"Edit Project" and "Delete Project" are disabled if a user does not have the permission.
Comment 1 Samuel Padgett 2018-08-17 13:05:31 UTC 
I agree this isn't an ideal experience. Unfortunately this is a limitation in the console because there is no API we can use to easily check. It requires a separate request for every project, which is prohibitively expensive if you have a large number projects in the list.
Comment 2 Marcel Hild 2018-08-20 10:40:15 UTC 
I disagree. 
You could make the request to check if the project is deletable with your account when showing the "delete modal". See attachment.

Going further you could work with the API team to annotate the "list projects" call with that information.
Comment 3 Marcel Hild 2018-08-20 10:40:56 UTC 
Created attachment 1477125 [details]
delete modal
Comment 4 Samuel Padgett 2018-08-20 12:47:44 UTC 
(In reply to Marcel Hild from comment #2)

> Going further you could work with the API team to annotate the "list
> projects" call with that information.

I expect that would be very expensive to do. David?
Comment 6 David Eads 2018-08-20 13:54:15 UTC 
Annotating a project with "can you delete this information"?  It goes against several api conventions.

 1. all viewers of a resource see the same resource
 2. a round-trip (read/write) cycle doesn't change content
 3. no "special" fields for server mechanics

We can't pursue that path.
Comment 8 Samuel Padgett 2019-06-04 20:34:13 UTC 
This will be addressed in the 4.2 console where we perform a SelfSubjectAccessReview when the user opens the kebab menu [1]. We do not plan to address this in the 3.x console.

[1] https://github.com/openshift/console/pull/1559