Bug 682710 - Administration - Users: A user without 'Manage Security' permissions can delete another users
Summary: Administration - Users: A user without 'Manage Security' permissions can dele...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server
Version: 4.0.0.B02
Hardware: Unspecified
OS: Unspecified
urgent
high vote
Target Milestone: ---
: ---
Assignee: Ian Springer
QA Contact: Corey Welton
URL:
Whiteboard:
Depends On:
Blocks: rhq4 gwt-admin-usersroles
TreeView+ depends on / blocked
 
Reported: 2011-03-07 11:05 UTC by Sunil Kondkar
Modified: 2013-08-06 00:38 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Sunil Kondkar 2011-03-07 11:05:25 UTC
Description of problem:

A user without 'Manage Security' permissions when navigates through the Administration->Security->Users list, the users list row items are selectable. Selecting a row except rhqadmin user enables the Delete button and other users can be deleted.

Version-Release number of selected component (if applicable):
Build# 1074  (Version: 4.0.0-SNAPSHOT Build Number: 77ad7aa)

How reproducible:
Always

Steps to Reproduce:

1. Login to RHQ as rhqadmin

2. Create a role without 'Manage Security' permissions.

3. Create a user and add the user to the above role.

4. Login to RHQ as the user without 'Manage Security' permissions.

5. Navigate to Administartion->Security->Users

6. Select any other user in the users list except rhqadmin.

7. Observe that the 'Delete' button get's enabled.

8. Click on 'Delete' button.

9. Click 'Yes' on the confirmation message.

10. The user get's deleted.

Actual results:

For a user without 'Manage Security' permissions, the user's list row items are selectable, selecting the row items enables the 'Delete' Button and other user gets deleted clicking the 'Delete' button.

Expected results:

1. A user without 'Manage Security' permissions should not be able to delete the other users.

2. If a user does not have 'Manage Security' permissions, the  row items should not be selectable.


Additional info:

Comment 1 Ian Springer 2011-03-08 23:19:45 UTC
Fixed - [master fbbf83c].

Comment 2 Sunil Kondkar 2011-03-09 10:54:48 UTC
Verified on Build# 1083 ( Version: 4.0.0-SNAPSHOT Build Number: fbbf83c)

For a user without 'Manage Security' permissions the row items on users list are not selectable.

Marking the bug as verified.

Comment 3 Corey Welton 2011-05-24 01:16:56 UTC
Bookkeeping - closing bug - fixed in recent release.

Comment 4 Corey Welton 2011-05-24 01:16:56 UTC
Bookkeeping - closing bug - fixed in recent release.

Comment 5 Corey Welton 2011-05-24 01:16:56 UTC
Bookkeeping - closing bug - fixed in recent release.

Comment 6 Corey Welton 2011-05-24 01:17:13 UTC
Bookkeeping - closing bug - fixed in recent release.


Note You need to log in before you can comment on or make changes to this bug.