Bug 682710 - Administration - Users: A user without 'Manage Security' permissions can delete another users
Administration - Users: A user without 'Manage Security' permissions can dele...
Status: CLOSED CURRENTRELEASE
Product: RHQ Project
Classification: Other
Component: Core Server (Show other bugs)
4.0.0.B02
Unspecified Unspecified
urgent Severity high (vote)
: ---
: ---
Assigned To: Ian Springer
Corey Welton
:
Depends On:
Blocks: rhq4 gwt-admin-usersroles
  Show dependency treegraph
 
Reported: 2011-03-07 06:05 EST by Sunil Kondkar
Modified: 2013-08-05 20:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sunil Kondkar 2011-03-07 06:05:25 EST
Description of problem:

A user without 'Manage Security' permissions when navigates through the Administration->Security->Users list, the users list row items are selectable. Selecting a row except rhqadmin user enables the Delete button and other users can be deleted.

Version-Release number of selected component (if applicable):
Build# 1074  (Version: 4.0.0-SNAPSHOT Build Number: 77ad7aa)

How reproducible:
Always

Steps to Reproduce:

1. Login to RHQ as rhqadmin

2. Create a role without 'Manage Security' permissions.

3. Create a user and add the user to the above role.

4. Login to RHQ as the user without 'Manage Security' permissions.

5. Navigate to Administartion->Security->Users

6. Select any other user in the users list except rhqadmin.

7. Observe that the 'Delete' button get's enabled.

8. Click on 'Delete' button.

9. Click 'Yes' on the confirmation message.

10. The user get's deleted.

Actual results:

For a user without 'Manage Security' permissions, the user's list row items are selectable, selecting the row items enables the 'Delete' Button and other user gets deleted clicking the 'Delete' button.

Expected results:

1. A user without 'Manage Security' permissions should not be able to delete the other users.

2. If a user does not have 'Manage Security' permissions, the  row items should not be selectable.


Additional info:
Comment 1 Ian Springer 2011-03-08 18:19:45 EST
Fixed - [master fbbf83c].
Comment 2 Sunil Kondkar 2011-03-09 05:54:48 EST
Verified on Build# 1083 ( Version: 4.0.0-SNAPSHOT Build Number: fbbf83c)

For a user without 'Manage Security' permissions the row items on users list are not selectable.

Marking the bug as verified.
Comment 3 Corey Welton 2011-05-23 21:16:56 EDT
Bookkeeping - closing bug - fixed in recent release.
Comment 4 Corey Welton 2011-05-23 21:16:56 EDT
Bookkeeping - closing bug - fixed in recent release.
Comment 5 Corey Welton 2011-05-23 21:16:56 EDT
Bookkeeping - closing bug - fixed in recent release.
Comment 6 Corey Welton 2011-05-23 21:17:13 EDT
Bookkeeping - closing bug - fixed in recent release.

Note You need to log in before you can comment on or make changes to this bug.