Description of problem: Even if a user has repo mgr permissions, if he sets up a private repo for another user, he gets a permission error trying to access it. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Create two users, "repomgr" and "joeuser". Grant "repomgr" Repo Manager permissions. Grant no rights to "joeuser" 2. Login as repomgr and create a new repo, "private repo". Make this repo private and set the owner to "joeuser". 3. Navigate back to the Repositories main view. 4. Click the "private repo" link. Actual results: PermissionException Subject [repomgr] is not authorized for [MANAGE_INVENTORY]: invocation: method=public org.rhq.core.domain.util.PageList<org.rhq.core.domain.resource.Resource> org.rhq.enterprise.server.content.RepoManagerBean.findSubscribedResources(org.rhq.core.domain.auth.Subject,int,org.rhq.core.domain.util.PageControl),context-data={} Expected results: It would seem that anyone with repo mgr permissions should be able to see the repo, even if it is private? Failing that, it shouldn't show up in the user's list. Additional info:
Actually it appears that user repomgr cannot access any repo made private, even if it is owned by himself!
...or any repo, private or not.
Lukas, any impact on the scripts from alerts work?
(10:20:52 AM) ccrouch: lkrejci: any comments for https://bugzilla.redhat.com/show_bug.cgi?id=698756 (10:21:55 AM) lkrejci: ccrouch: i believe that has the same cause as https://bugzilla.redhat.com/show_bug.cgi?id=698760 (10:22:16 AM) lkrejci: and that's the fact that i borked the conversion from repo.xhtml to repo-plain.xhtml (10:22:28 AM) lkrejci: it's a super easy fix, i will commit it shortly
commit 75d48dacc84f2d0020f93f6849367e267588b020 Author: Lukas Krejci <lkrejci> Date: Mon Apr 25 17:55:08 2011 +0200 BZ 698760, BZ 698756 - polishing the repo details page. Edit mode wasn't functioning due to missed out parameter definitions during conversion from repo.xhtml to repo-plain.xhtml. The "private" toggle in edit mode wasn't working due to usage of wrong UI bean (a copy&paste bug) The user with repo manager privs can view any repo now even if s/he isn't an inventory manager - wrong perm check used in the UI.
This is verified RHQ 4.0 released version, as follows: followed the steps to reproduce documented above and observed the correct behavior. the repomgr (with repo permissions) could view and edit the private repo owned by repouser. the repo user (with no repo permissions) could view and edit the private repo owned by him. another repo user, repouser2, with no permsissions who did not own the private repo could not view the private repo.
Bookkeeping - closing bug - fixed in recent release.