This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 172796 - Users can see channels they don't have permission to
Users can see channels they don't have permission to
Status: CLOSED CURRENTRELEASE
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
400
All Linux
medium Severity medium
: ---
: ---
Assigned To: Justin Sherrill
wes hayutin
:
Depends On:
Blocks: 456985
  Show dependency treegraph
 
Reported: 2005-11-09 16:02 EST by Matthew Davis
Modified: 2010-10-21 23:40 EDT (History)
5 users (show)

See Also:
Fixed In Version: sat530
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-10 16:20:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Matthew Davis 2005-11-09 16:02:53 EST
Description of problem:
The feature for dis-allowing users to subscribe systems to channels they dont
have permission works, but it should also disallow the user from actually seeing
the channel.

Version-Release number of selected component (if applicable):

4.0.1

How reproducible:
Everytime

Steps to Reproduce:
1. Create a custom channel (clone it, etc)
2. Make the channel Globally Subscribable set to NO
3. Create a user
4. Make sure the user cannot see the channel under its channel permissions.
5. Login as the user and goto the Channels tab.  You should not be able to see
the custom channel.
  
Actual results:
You can see the non-globally subscribed channel.

Expected results:
Not see the non-globally subscribed channel.

Additional info:
Its likely the search tool might need to query if the user has permission to
this channel as well.
Comment 5 Justin Sherrill 2007-09-25 11:13:32 EDT
fixed in rev 132107

Test plan:

1. create custom channel 
2. set channel to not be globally subscribable 
3. log in as regular user (non-org admin)
4. Verify the user cannot see the channel
5. change the regular user's channel perms to be able to access custom channel
6. log in as regular user 
7. Verify the user can see the channel
8.  Change channel back to be globally subscribable
9.  log in as regular user
10. Verify the user can see the channel

Comment 6 wes hayutin 2007-10-10 15:37:07 EDT
verified build 17
Comment 7 Pradeep Kilambi 2008-03-26 10:28:25 EDT
Fails_QA

- created a custom channel
- made it not globally subscribable
- and I dont see that in software channel list rhn/software/channels/Relevant.do
- this is as admin and a channel admin and he should be able to see the custom
channel


 
Comment 8 wes hayutin 2008-03-26 11:48:58 EDT
k.. this does fail..
however for two reasons..

about comment #7, 
the channel should be visible from the software channel overview, and its
disappears after removing global access.  The channel is still accessible from
"manage software channels".   This part is a new bug..

Once the global access is removed.. a regular user can log in and see the custom
channel.. so this bug also fails due to the recreate in comment #5

Comment 11 wes hayutin 2008-03-26 12:12:20 EDT
k.. not only is the unauthorized channel viewable.. the unauthorized user can
subscribe to the channel and get updates

Comment 12 wes hayutin 2008-03-26 17:56:54 EDT
sorry. until I can confirm..
The user is able to see the channel and download packages from the channel, but
can not subscribe a system to that channel
Comment 15 Justin Sherrill 2008-03-27 15:21:12 EDT
New Test Plan:

Test this with custom and RH Base channels:


1.  Create/locate channel
2.  Set channel to be non-globally subscribable 
3.  create regular user1 with NO subscribe permissions to channel from step 1
4.  create 2nd regular user2 WITH subscribe permissions to channel from step 1
5.  Login as user1.  user1 should NOT be able to see said channel on channels list
6.  Login as user2.  user2 SHOULD be able to see channel on channel list
7.  Login as org_admin user.  Org_admin user SHOULD be able to see channel on
channel list.
Comment 16 Partha Aji 2008-03-27 15:55:29 EDT
Another Scenario

AS an org admin
1. Create custom channel thats not globally subscribable
2. Create a new user X
3. Create a new system group SG and assign X  as an admin to the to SG.
4. Create a new activation key, set the custom channel as the base channel and
SG as the group.
5. Mark the activation key as the org default.
6. Register systems using this activation key.
7. Login as X and Click systems.
8. Notice that a clickable Custom Channel link is shown in the systems list. 
9. Click the custom channel link
Notice that X is able to access the custom channel completely even though the
user is NOT subscribed for this channel....
Comment 17 Justin Sherrill 2008-03-27 16:00:25 EDT
^ partha, that is really a different page altogether. Opened 2nd bug for that in
bz 439272
Comment 19 Justin Sherrill 2009-03-09 15:23:51 EDT
Multiorg has changed this a bunch.  I'm gonna run through the test cases and see what happens.
Comment 20 Justin Sherrill 2009-03-09 16:10:56 EDT
This looks fine now.
Comment 21 wes hayutin 2009-03-23 08:45:27 EDT
confirmed.. the various scenarios pass
verified
Comment 22 Michael Mráka 2009-07-29 06:14:33 EDT
Verified in stage -> RELEASE_PENDING.

Testplan from comment #15:
* user1 can't access the channel
* user2 can access the channel
* orgadmin and channeladmin can access the channel
Comment 23 Brandon Perkins 2009-09-10 16:20:19 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-1434.html

Note You need to log in before you can comment on or make changes to this bug.