Bug 591122 - Users should not be able to see other users or Roles if they aren't authorized
Summary: Users should not be able to see other users or Roles if they aren't authorized
Alias: None
Product: RHQ Project
Classification: Other
Component: Core UI
Version: 1.3.1
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: RHQ Project Maintainer
QA Contact: Corey Welton
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-11 13:39 UTC by dsteigne
Modified: 2018-10-27 16:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-09-21 15:12:09 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker PRODMGT-87 0 None Resolved Users without admin role should not be able to see other users and user details on the system 2012-02-01 11:09:25 UTC

Description dsteigne 2010-05-11 13:39:46 UTC
Description of problem:

Setup a user assigned to a group not authorized to:
Manage Security(Users/Roles)
Login as that user, they can still see the Users and the Change Password link, changing the password fails, but the user shouldn't have access to other users at all.  Same with Roles, user cannot make any edits, but they can still see all Roles and the Users assigned to them. 

Version-Release number of selected component (if applicable):

Comment 1 Joseph Marques 2010-09-21 15:12:09 UTC
we decided a while back that it was ok for all users to be able to see other users/roles in the system just in case they wanted to, for example, set up an alert definition that upon trigger would sent notifications to a list of users and/or a list of roles.

the old UI is going away for RHQ 4 and will be replaced with a new GWT-based one.  we'll make sure to pay attention to authorization, and conditionally render links so that unauthorized users don't think they have the ability to change passwords.

Comment 2 Larry O'Leary 2012-02-01 04:33:01 UTC
Looks like Bug 786159 might address this as a feature.

Note You need to log in before you can comment on or make changes to this bug.