Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 591122 - Users should not be able to see other users or Roles if they aren't authorized
Users should not be able to see other users or Roles if they aren't authorized
Product: RHQ Project
Classification: Other
Component: Core UI (Show other bugs)
All Linux
low Severity medium (vote)
: ---
: ---
Assigned To: RHQ Project Maintainer
Corey Welton
Depends On:
  Show dependency treegraph
Reported: 2010-05-11 09:39 EDT by dsteigne
Modified: 2018-10-27 12:10 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2010-09-21 11:12:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker PRODMGT-87 None Resolved Users without admin role should not be able to see other users and user details on the system 2012-02-01 06:09:25 EST

  None (edit)
Description dsteigne 2010-05-11 09:39:46 EDT
Description of problem:

Setup a user assigned to a group not authorized to:
Manage Security(Users/Roles)
Login as that user, they can still see the Users and the Change Password link, changing the password fails, but the user shouldn't have access to other users at all.  Same with Roles, user cannot make any edits, but they can still see all Roles and the Users assigned to them. 

Version-Release number of selected component (if applicable):
Comment 1 Joseph Marques 2010-09-21 11:12:09 EDT
we decided a while back that it was ok for all users to be able to see other users/roles in the system just in case they wanted to, for example, set up an alert definition that upon trigger would sent notifications to a list of users and/or a list of roles.

the old UI is going away for RHQ 4 and will be replaced with a new GWT-based one.  we'll make sure to pay attention to authorization, and conditionally render links so that unauthorized users don't think they have the ability to change passwords.
Comment 2 Larry O'Leary 2012-01-31 23:33:01 EST
Looks like Bug 786159 might address this as a feature.

Note You need to log in before you can comment on or make changes to this bug.