Bug 642231 - User without edit permissions is able to edit the data
Summary: User without edit permissions is able to edit the data
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Core UI
Version: 4.0.0
Hardware: All
OS: Linux
high
high vote
Target Milestone: ---
: ---
Assignee: Ian Springer
QA Contact: Corey Welton
URL:
Whiteboard:
Depends On:
Blocks: rhq4 gwt-table-details
TreeView+ depends on / blocked
 
Reported: 2010-10-12 12:16 UTC by Sunil Kondkar
Modified: 2013-08-06 00:38 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-24 01:07:23 UTC


Attachments (Terms of Use)

Description Sunil Kondkar 2010-10-12 12:16:26 UTC
Description of problem:

If a user does not have permissions to edit the data (Ex: without 'Manage_Security' permissions), he is able to edit and save the 'manage user' data.

Version-Release number of selected component (if applicable):
rhq build#401

How reproducible:

Always

Steps to Reproduce:

Create a role without 'Manage_Security' permissions.
Create a new user and assign the role created above
Login to Jon as newly created user
Navigate to 'Administration->Users'.
Double-click on a row having user details
Edit the last name and save.
  
Actual results:
User can edit and save the data

Expected results:
User should not be able to select, edit and save the data. The buttons like 'New', 'Save', 'Reset' and 'Delete' should be disabled.

Additional info:

Comment 1 Jay Shaughnessy 2011-02-14 14:26:12 UTC
This actually generated an uncaught exception for me.

Comment 2 Ian Springer 2011-02-15 16:25:30 UTC
Note, a user should be able to edit their own basic data - first name, last name, phone #, password, etc. But they should not be able to edit their permissions, roles, or groups, unless they have manage_security.

Comment 3 Ian Springer 2011-02-24 22:22:30 UTC
I fixed a few related minor issues with commit [master 9acdc2f], but this was mainly working as designed - that is, a user can edit themselves, with the exceptions of the enabled/active field and their assigned roles.

Comment 4 Sunil Kondkar 2011-03-02 10:20:10 UTC
Verified on Build#1056 (Version: 4.0.0-SNAPSHOT Build Number: 643ac4b).

This is working as designed. No exception is observed. User without 'Manage_Security' permissions is able to update his own data. Other user's data is view only.

Marking as verified.

Comment 5 Corey Welton 2011-05-24 01:07:23 UTC
Bookkeeping - closing bug - fixed in recent release.


Note You need to log in before you can comment on or make changes to this bug.