Red Hat Bugzilla – Bug 172796
Users can see channels they don't have permission to
Last modified: 2010-10-21 23:40:33 EDT
Description of problem:
The feature for dis-allowing users to subscribe systems to channels they dont
have permission works, but it should also disallow the user from actually seeing
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a custom channel (clone it, etc)
2. Make the channel Globally Subscribable set to NO
3. Create a user
4. Make sure the user cannot see the channel under its channel permissions.
5. Login as the user and goto the Channels tab. You should not be able to see
the custom channel.
You can see the non-globally subscribed channel.
Not see the non-globally subscribed channel.
Its likely the search tool might need to query if the user has permission to
this channel as well.
fixed in rev 132107
1. create custom channel
2. set channel to not be globally subscribable
3. log in as regular user (non-org admin)
4. Verify the user cannot see the channel
5. change the regular user's channel perms to be able to access custom channel
6. log in as regular user
7. Verify the user can see the channel
8. Change channel back to be globally subscribable
9. log in as regular user
10. Verify the user can see the channel
verified build 17
- created a custom channel
- made it not globally subscribable
- and I dont see that in software channel list rhn/software/channels/Relevant.do
- this is as admin and a channel admin and he should be able to see the custom
k.. this does fail..
however for two reasons..
about comment #7,
the channel should be visible from the software channel overview, and its
disappears after removing global access. The channel is still accessible from
"manage software channels". This part is a new bug..
Once the global access is removed.. a regular user can log in and see the custom
channel.. so this bug also fails due to the recreate in comment #5
k.. not only is the unauthorized channel viewable.. the unauthorized user can
subscribe to the channel and get updates
sorry. until I can confirm..
The user is able to see the channel and download packages from the channel, but
can not subscribe a system to that channel
New Test Plan:
Test this with custom and RH Base channels:
1. Create/locate channel
2. Set channel to be non-globally subscribable
3. create regular user1 with NO subscribe permissions to channel from step 1
4. create 2nd regular user2 WITH subscribe permissions to channel from step 1
5. Login as user1. user1 should NOT be able to see said channel on channels list
6. Login as user2. user2 SHOULD be able to see channel on channel list
7. Login as org_admin user. Org_admin user SHOULD be able to see channel on
AS an org admin
1. Create custom channel thats not globally subscribable
2. Create a new user X
3. Create a new system group SG and assign X as an admin to the to SG.
4. Create a new activation key, set the custom channel as the base channel and
SG as the group.
5. Mark the activation key as the org default.
6. Register systems using this activation key.
7. Login as X and Click systems.
8. Notice that a clickable Custom Channel link is shown in the systems list.
9. Click the custom channel link
Notice that X is able to access the custom channel completely even though the
user is NOT subscribed for this channel....
^ partha, that is really a different page altogether. Opened 2nd bug for that in
Multiorg has changed this a bunch. I'm gonna run through the test cases and see what happens.
This looks fine now.
confirmed.. the various scenarios pass
Verified in stage -> RELEASE_PENDING.
Testplan from comment #15:
* user1 can't access the channel
* user2 can access the channel
* orgadmin and channeladmin can access the channel
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.