Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1925172 - Non admin user with viewer role can perform action on the task
Summary: Non admin user with viewer role can perform action on the task
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Tasks Plugin
Version: 6.9.0
Hardware: Unspecified
OS: Unspecified
low
high
Target Milestone: 6.10.0
Assignee: Adam Ruzicka
QA Contact: Peter Ondrejka
URL:
Whiteboard:
Depends On: 1922134 1922145 1922174
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-04 14:22 UTC by Anand Agrawal
Modified: 2021-11-16 14:10 UTC (History)
10 users (show)

Fixed In Version: foreman-2.3.1.10-1, tfm-rubygem-foreman-tasks-4.1.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1922174
Environment:
Last Closed: 2021-11-16 14:10:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
batch-selection (31.22 KB, image/png)
2021-06-02 09:53 UTC, Peter Ondrejka 		no flags Details
batch-confirm (14.97 KB, image/png)
2021-06-02 09:53 UTC, Peter Ondrejka 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 31872 0 Normal New Non admin user with viewer role can attempt to perform action on the task 2021-02-15 11:13:22 UTC
Foreman Issue Tracker 31873 0 Normal Closed Expose edit permission in api index layout for bulk actions on resource 2021-02-19 08:25:31 UTC
Red Hat Knowledge Base (Solution) 5899441 0 None None None 2021-03-23 13:50:03 UTC
Red Hat Product Errata RHSA-2021:4702 0 None None None 2021-11-16 14:10:12 UTC

Description Anand Agrawal 2021-02-04 14:22:47 UTC 
Description of problem:

Non-admin user with 'Viewer' role can see tasks and select All tasks. Individual task checkbox is greyed out but Select All is available. Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected

Version-Release number of selected component (if applicable):
6.9

How reproducible:

Always

Steps to Reproduce:
1. Create a non-admin user with 'viewer' role.
2. Login with above non admin role.
3. GoTo Monitor -> Tasks -> Select All tasks -> Select Action -> Resume selected 
Actual results:

It allow to select all tasks

Expected results:

It should not allow to select all


Additional info:
Comment 1 Adam Ruzicka 2021-02-11 10:20:17 UTC 
The current stance is:
1) The user can select all tasks, even if they cannot select every single task separately
2) The user can try to perform a bulk action against the selection
3) The bulk action is performed only against the tasks against which the user is permitted to perform the action

We cannot forbid users from trying to select all, because we cannot be sure that there is nothing the user could select on other pages. For the same reason, we cannot forbid them from trying to perform a bulk action on all selected tasks, because there may be a task in the selection against which they are allowed to perform the action.

> Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected

They can try to do that. Will the tasks be actually cancelled/resumed/force cancelled?
Comment 2 Anand Agrawal 2021-02-11 11:13:44 UTC 
(In reply to Adam Ruzicka from comment #1)
> The current stance is:
> 1) The user can select all tasks, even if they cannot select every single
> task separately
> 2) The user can try to perform a bulk action against the selection
> 3) The bulk action is performed only against the tasks against which the
> user is permitted to perform the action
> 
> We cannot forbid users from trying to select all, because we cannot be sure
> that there is nothing the user could select on other pages. For the same
> reason, we cannot forbid them from trying to perform a bulk action on all
> selected tasks, because there may be a task in the selection against which
> they are allowed to perform the action.

Here, I am talking of the viewer role specifically, which will have granular permission like "view_tasks". With this permission, I do not think, the user will have any tasks with permissions to perform the actions(Cancel, Resume, force ).

> 
> > Non Admin user can check all task and perform Action, Cancel Selected, Resume Selected, Force Cancel selected
> 
> They can try to do that. Will the tasks be actually cancelled/resumed/force
> cancelled?

With view-only permission, I do not expect this to be visible.
Comment 3 Bryan Kearney 2021-02-16 20:02:35 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/31872 has been resolved.
Comment 10 Peter Ondrejka 2021-06-02 09:52:12 UTC 
Checked on snap_6.10.0_2.0, viewer is not able to operate on tasks, but the UI sends mixed signals, the select-all checkbox and the confirmation infobox are actin as if selection was possible even though the individual checkboxes are grayed-out (see screenshots).
Comment 11 Peter Ondrejka 2021-06-02 09:53:02 UTC 
Created attachment 1788651 [details]
batch-selection
Comment 12 Peter Ondrejka 2021-06-02 09:53:43 UTC 
Created attachment 1788652 [details]
batch-confirm
Comment 13 Adam Ruzicka 2021-06-02 10:36:25 UTC 
This is some kind of miscommunication. This was fixed, the fix was then reverted as mentioned in #4 and was not re-fixed since.
Comment 16 Peter Ondrejka 2021-09-29 12:52:35 UTC 
Verified on Sat 6.10 sn 20
Comment 19 errata-xmlrpc 2021-11-16 14:10:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.10 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4702
Note You need to log in before you can comment on or make changes to this bug.