Bug 1809304 - The create storage class button should only be present if a user has permissions to create storage classes
Summary: The create storage class button should only be present if a user has permissi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.5.0
Assignee: Zac Herman
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-02 19:51 UTC by bpeterse
Modified: 2020-04-09 17:24 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-09 17:24:36 UTC
Target Upstream Version:


Attachments (Terms of Use)
Normal User without Projects Visits Storage Classes page (293.49 KB, image/png)
2020-03-25 05:50 UTC, Yadan Pei
no flags Details
Normal User Has Projects Visits Storage Classes page (213.22 KB, image/png)
2020-03-25 05:51 UTC, Yadan Pei
no flags Details
Normal User Visits Storage Classes page by URL (348.54 KB, image/png)
2020-03-25 05:54 UTC, Yadan Pei
no flags Details

Description bpeterse 2020-03-02 19:51:23 UTC
This bug is created based the following RFE:
  https://issues.redhat.com/browse/RFE-333

See the RFE for further details.

Comment 1 Fatima 2020-03-23 02:53:00 UTC
Hi team,

Any updates here?

Thanks,
Fatima

Comment 2 Yadan Pei 2020-03-25 05:50:34 UTC
Created attachment 1673278 [details]
Normal User without Projects Visits Storage Classes page

Comment 3 Yadan Pei 2020-03-25 05:51:59 UTC
Created attachment 1673279 [details]
Normal User Has Projects Visits Storage Classes page

Comment 4 Yadan Pei 2020-03-25 05:54:18 UTC
Created attachment 1673280 [details]
Normal User Visits Storage Classes page by URL

Comment 5 Yadan Pei 2020-03-25 05:58:34 UTC
Currently 

1) Normal user can't see 'Create Storage' button on Storage Classes page
2) When normal user visit Storage Classes page via URL, he/she can still fill the form but got error message when he/she submit the form

I'm not sure if we can show error message once user visit the form creation page via URL, I know we can show error message when user submit the form, will wait for comments from Devs

Comment 6 Zac Herman 2020-04-09 17:10:50 UTC
1) First off, thanks @Yadan Pei for doing some checking on this as well.
2) As Yadan stated, non-admin users cannot see the "Create Storage Class" button so that is working as designed.
3) Now, if a non-admin user has a URL to an admin type of page (create storage class, create PV, operator hub, cluster config), they can get to that page but they will not be able to do anything because the API requires proper authorization. 
4) Currently there is no mechanism that simply prevents non-admin users from seeing admin pages.  If there is any data from an API call on those pages that is sensitive, the API will show an error due to lack of authorization.

I suggest we close this bug as working as designed.

Comment 7 Steven Barre 2020-04-09 17:18:10 UTC
This was an issue back in 4.1, but seems to have been fixed now in 4.3. I'm the one who requested the RFE back in August. This should be OK to close now.

Comment 8 bpeterse 2020-04-09 17:24:36 UTC
If it has been resolved in recent versions, we can close the bug.  Perhaps we can take some time & make sure we handle this consistently everywhere.


Note You need to log in before you can comment on or make changes to this bug.