Red Hat Bugzilla – Bug 642231
User without edit permissions is able to edit the data
Last modified: 2013-08-05 20:38:19 EDT
Description of problem:
If a user does not have permissions to edit the data (Ex: without 'Manage_Security' permissions), he is able to edit and save the 'manage user' data.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Create a role without 'Manage_Security' permissions.
Create a new user and assign the role created above
Login to Jon as newly created user
Navigate to 'Administration->Users'.
Double-click on a row having user details
Edit the last name and save.
User can edit and save the data
User should not be able to select, edit and save the data. The buttons like 'New', 'Save', 'Reset' and 'Delete' should be disabled.
This actually generated an uncaught exception for me.
Note, a user should be able to edit their own basic data - first name, last name, phone #, password, etc. But they should not be able to edit their permissions, roles, or groups, unless they have manage_security.
I fixed a few related minor issues with commit [master 9acdc2f], but this was mainly working as designed - that is, a user can edit themselves, with the exceptions of the enabled/active field and their assigned roles.
Verified on Build#1056 (Version: 4.0.0-SNAPSHOT Build Number: 643ac4b).
This is working as designed. No exception is observed. User without 'Manage_Security' permissions is able to update his own data. Other user's data is view only.
Marking as verified.
Bookkeeping - closing bug - fixed in recent release.