Bug 536414 - (RHQ-766) Non-privileged users should not even see the admin functions they don't have access to
Non-privileged users should not even see the admin functions they don't have ...
Status: CLOSED NEXTRELEASE
Product: RHQ Project
Classification: Other
Component: No Component (Show other bugs)
1.1pre
All All
medium Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
http://jira.rhq-project.org/browse/RH...
: Improvement
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-28 14:18 EDT by Jeff Weiss
Modified: 2014-11-09 17:50 EST (History)
1 user (show)

See Also:
Fixed In Version: 1.2
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
jweiss: archived+


Attachments (Terms of Use)

  None (edit)
Description Jeff Weiss 2008-08-28 14:18:00 EDT
i'm noticing that a view-only user still sees the same admin page as rhqadmin.  in fact, it lets you get as far as typing in all the info for creating a new user before it tells you that you aren't allowed to do it.  this is not how I would expect it to work.  There's probably a lot of bugs i could open on this that would be fixed just by getting rid of the admin page for non-admin users
For instance, creating a role gives a wrong error message "Failed to save the role - make sure one does not already exist with that name".   The real reason is the user doesn't have permission to create roles.  
Comment 1 Heiko W. Rupp 2008-09-08 11:24:31 EDT
From IT#218424

"
However, even if the logged in LDAP user has no roles associated with it, the user is able to access the Administration section from within the JBoss ON GUI.

I think this is a severe security limitation.

The logged in LDAP user can view users, list the current roles, can see the server configuration etc. Although it is not able to modify any settings, I think the user should not be able to see such key information and Administration settings.
"
Comment 2 Joseph Marques 2009-04-28 05:02:42 EDT
when mazz move all of the functions from the administration page up until the menu bar, he also made sure to handle display of the menu items based on the user's permissions.
Comment 3 Red Hat Bugzilla 2009-11-10 16:16:29 EST
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-766

Note You need to log in before you can comment on or make changes to this bug.