Red Hat Bugzilla – Bug 682710
Administration - Users: A user without 'Manage Security' permissions can delete another users
Last modified: 2013-08-05 20:38:51 EDT
Description of problem:
A user without 'Manage Security' permissions when navigates through the Administration->Security->Users list, the users list row items are selectable. Selecting a row except rhqadmin user enables the Delete button and other users can be deleted.
Version-Release number of selected component (if applicable):
Build# 1074 (Version: 4.0.0-SNAPSHOT Build Number: 77ad7aa)
Steps to Reproduce:
1. Login to RHQ as rhqadmin
2. Create a role without 'Manage Security' permissions.
3. Create a user and add the user to the above role.
4. Login to RHQ as the user without 'Manage Security' permissions.
5. Navigate to Administartion->Security->Users
6. Select any other user in the users list except rhqadmin.
7. Observe that the 'Delete' button get's enabled.
8. Click on 'Delete' button.
9. Click 'Yes' on the confirmation message.
10. The user get's deleted.
For a user without 'Manage Security' permissions, the user's list row items are selectable, selecting the row items enables the 'Delete' Button and other user gets deleted clicking the 'Delete' button.
1. A user without 'Manage Security' permissions should not be able to delete the other users.
2. If a user does not have 'Manage Security' permissions, the row items should not be selectable.
Fixed - [master fbbf83c].
Verified on Build# 1083 ( Version: 4.0.0-SNAPSHOT Build Number: fbbf83c)
For a user without 'Manage Security' permissions the row items on users list are not selectable.
Marking the bug as verified.
Bookkeeping - closing bug - fixed in recent release.