Bug 172796 - Users can see channels they don't have permission to
Summary: Users can see channels they don't have permission to
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI
Version: 400
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Justin Sherrill
QA Contact: wes hayutin
Depends On:
Blocks: 456985
TreeView+ depends on / blocked
Reported: 2005-11-09 21:02 UTC by Matthew Davis
Modified: 2018-11-14 18:16 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2009-09-10 20:20:19 UTC

Attachments (Terms of Use)

Description Matthew Davis 2005-11-09 21:02:53 UTC
Description of problem:
The feature for dis-allowing users to subscribe systems to channels they dont
have permission works, but it should also disallow the user from actually seeing
the channel.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Create a custom channel (clone it, etc)
2. Make the channel Globally Subscribable set to NO
3. Create a user
4. Make sure the user cannot see the channel under its channel permissions.
5. Login as the user and goto the Channels tab.  You should not be able to see
the custom channel.
Actual results:
You can see the non-globally subscribed channel.

Expected results:
Not see the non-globally subscribed channel.

Additional info:
Its likely the search tool might need to query if the user has permission to
this channel as well.

Comment 5 Justin Sherrill 2007-09-25 15:13:32 UTC
fixed in rev 132107

Test plan:

1. create custom channel 
2. set channel to not be globally subscribable 
3. log in as regular user (non-org admin)
4. Verify the user cannot see the channel
5. change the regular user's channel perms to be able to access custom channel
6. log in as regular user 
7. Verify the user can see the channel
8.  Change channel back to be globally subscribable
9.  log in as regular user
10. Verify the user can see the channel

Comment 6 wes hayutin 2007-10-10 19:37:07 UTC
verified build 17

Comment 7 Pradeep Kilambi 2008-03-26 14:28:25 UTC

- created a custom channel
- made it not globally subscribable
- and I dont see that in software channel list rhn/software/channels/Relevant.do
- this is as admin and a channel admin and he should be able to see the custom


Comment 8 wes hayutin 2008-03-26 15:48:58 UTC
k.. this does fail..
however for two reasons..

about comment #7, 
the channel should be visible from the software channel overview, and its
disappears after removing global access.  The channel is still accessible from
"manage software channels".   This part is a new bug..

Once the global access is removed.. a regular user can log in and see the custom
channel.. so this bug also fails due to the recreate in comment #5

Comment 11 wes hayutin 2008-03-26 16:12:20 UTC
k.. not only is the unauthorized channel viewable.. the unauthorized user can
subscribe to the channel and get updates

Comment 12 wes hayutin 2008-03-26 21:56:54 UTC
sorry. until I can confirm..
The user is able to see the channel and download packages from the channel, but
can not subscribe a system to that channel

Comment 15 Justin Sherrill 2008-03-27 19:21:12 UTC
New Test Plan:

Test this with custom and RH Base channels:

1.  Create/locate channel
2.  Set channel to be non-globally subscribable 
3.  create regular user1 with NO subscribe permissions to channel from step 1
4.  create 2nd regular user2 WITH subscribe permissions to channel from step 1
5.  Login as user1.  user1 should NOT be able to see said channel on channels list
6.  Login as user2.  user2 SHOULD be able to see channel on channel list
7.  Login as org_admin user.  Org_admin user SHOULD be able to see channel on
channel list.

Comment 16 Partha Aji 2008-03-27 19:55:29 UTC
Another Scenario

AS an org admin
1. Create custom channel thats not globally subscribable
2. Create a new user X
3. Create a new system group SG and assign X  as an admin to the to SG.
4. Create a new activation key, set the custom channel as the base channel and
SG as the group.
5. Mark the activation key as the org default.
6. Register systems using this activation key.
7. Login as X and Click systems.
8. Notice that a clickable Custom Channel link is shown in the systems list. 
9. Click the custom channel link
Notice that X is able to access the custom channel completely even though the
user is NOT subscribed for this channel....

Comment 17 Justin Sherrill 2008-03-27 20:00:25 UTC
^ partha, that is really a different page altogether. Opened 2nd bug for that in
bz 439272

Comment 19 Justin Sherrill 2009-03-09 19:23:51 UTC
Multiorg has changed this a bunch.  I'm gonna run through the test cases and see what happens.

Comment 20 Justin Sherrill 2009-03-09 20:10:56 UTC
This looks fine now.

Comment 21 wes hayutin 2009-03-23 12:45:27 UTC
confirmed.. the various scenarios pass

Comment 22 Michael Mráka 2009-07-29 10:14:33 UTC
Verified in stage -> RELEASE_PENDING.

Testplan from comment #15:
* user1 can't access the channel
* user2 can access the channel
* orgadmin and channeladmin can access the channel

Comment 23 Brandon Perkins 2009-09-10 20:20:19 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.