Red Hat Bugzilla – Bug 536414
Non-privileged users should not even see the admin functions they don't have access to
Last modified: 2014-11-09 17:50:16 EST
i'm noticing that a view-only user still sees the same admin page as rhqadmin. in fact, it lets you get as far as typing in all the info for creating a new user before it tells you that you aren't allowed to do it. this is not how I would expect it to work. There's probably a lot of bugs i could open on this that would be fixed just by getting rid of the admin page for non-admin users
For instance, creating a role gives a wrong error message "Failed to save the role - make sure one does not already exist with that name". The real reason is the user doesn't have permission to create roles.
However, even if the logged in LDAP user has no roles associated with it, the user is able to access the Administration section from within the JBoss ON GUI.
I think this is a severe security limitation.
The logged in LDAP user can view users, list the current roles, can see the server configuration etc. Although it is not able to modify any settings, I think the user should not be able to see such key information and Administration settings.
when mazz move all of the functions from the administration page up until the menu bar, he also made sure to handle display of the menu items based on the user's permissions.
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-766