Bug 642231 - User without edit permissions is able to edit the data
User without edit permissions is able to edit the data
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Core UI (Show other bugs)
4.0.0
All Linux
high Severity high (vote)
: ---
: ---
Assigned To: Ian Springer
Corey Welton
:
Depends On:
Blocks: rhq4 gwt-table-details
  Show dependency treegraph
 
Reported: 2010-10-12 08:16 EDT by Sunil Kondkar
Modified: 2013-08-05 20:38 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-23 21:07:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sunil Kondkar 2010-10-12 08:16:26 EDT
Description of problem:

If a user does not have permissions to edit the data (Ex: without 'Manage_Security' permissions), he is able to edit and save the 'manage user' data.

Version-Release number of selected component (if applicable):
rhq build#401

How reproducible:

Always

Steps to Reproduce:

Create a role without 'Manage_Security' permissions.
Create a new user and assign the role created above
Login to Jon as newly created user
Navigate to 'Administration->Users'.
Double-click on a row having user details
Edit the last name and save.
  
Actual results:
User can edit and save the data

Expected results:
User should not be able to select, edit and save the data. The buttons like 'New', 'Save', 'Reset' and 'Delete' should be disabled.

Additional info:
Comment 1 Jay Shaughnessy 2011-02-14 09:26:12 EST
This actually generated an uncaught exception for me.
Comment 2 Ian Springer 2011-02-15 11:25:30 EST
Note, a user should be able to edit their own basic data - first name, last name, phone #, password, etc. But they should not be able to edit their permissions, roles, or groups, unless they have manage_security.
Comment 3 Ian Springer 2011-02-24 17:22:30 EST
I fixed a few related minor issues with commit [master 9acdc2f], but this was mainly working as designed - that is, a user can edit themselves, with the exceptions of the enabled/active field and their assigned roles.
Comment 4 Sunil Kondkar 2011-03-02 05:20:10 EST
Verified on Build#1056 (Version: 4.0.0-SNAPSHOT Build Number: 643ac4b).

This is working as designed. No exception is observed. User without 'Manage_Security' permissions is able to update his own data. Other user's data is view only.

Marking as verified.
Comment 5 Corey Welton 2011-05-23 21:07:23 EDT
Bookkeeping - closing bug - fixed in recent release.

Note You need to log in before you can comment on or make changes to this bug.