Description of problem: If a user does not have permissions to edit the data (Ex: without 'Manage_Security' permissions), he is able to edit and save the 'manage user' data. Version-Release number of selected component (if applicable): rhq build#401 How reproducible: Always Steps to Reproduce: Create a role without 'Manage_Security' permissions. Create a new user and assign the role created above Login to Jon as newly created user Navigate to 'Administration->Users'. Double-click on a row having user details Edit the last name and save. Actual results: User can edit and save the data Expected results: User should not be able to select, edit and save the data. The buttons like 'New', 'Save', 'Reset' and 'Delete' should be disabled. Additional info:
This actually generated an uncaught exception for me.
Note, a user should be able to edit their own basic data - first name, last name, phone #, password, etc. But they should not be able to edit their permissions, roles, or groups, unless they have manage_security.
I fixed a few related minor issues with commit [master 9acdc2f], but this was mainly working as designed - that is, a user can edit themselves, with the exceptions of the enabled/active field and their assigned roles.
Verified on Build#1056 (Version: 4.0.0-SNAPSHOT Build Number: 643ac4b). This is working as designed. No exception is observed. User without 'Manage_Security' permissions is able to update his own data. Other user's data is view only. Marking as verified.
Bookkeeping - closing bug - fixed in recent release.