Bug 731204 - Notices need to be sent on permission denied
Summary: Notices need to be sent on permission denied
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: WebUI
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
low
low vote
Target Milestone: Unspecified
Assignee: Partha Aji
QA Contact: Sachin Ghai
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-16 23:05 UTC by Partha Aji
Modified: 2018-08-30 21:57 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-22 21:01:19 UTC


Attachments (Terms of Use)

Description Partha Aji 2011-08-16 23:05:38 UTC
If the user visits a page/performs an operation for which he/she is not authorized, a permission denied notice needs to be sent.

Comment 1 Jason E. Rist 2011-08-17 19:24:30 UTC
In roles-ui

Comment 2 Partha Aji 2011-08-17 19:25:40 UTC
For Ajax calls

Comment 3 Sachin Ghai 2011-09-05 10:26:11 UTC
I verified this with following katello version:
katello-0.1.75-1.git.41.2e9f377.fc15.noarch

I created a user and assigned a newly created role.  That role includes following permissions. 

Permission for org:
access organization
access systems

Permissions for Environment:
Access Changeset in Env
Access env contents
Access systems in Env

Permissions for Provider:
Access provider
Create provider

Permissions for users:
Access users
Create users


When I login with newly created user which has all above permissions and click on sync mgmt tab under content management, UI throws following error:

>> We're sorry, but something went wrong.
>> We've been notified about this issue and we'll take a look at it shortly.

Since I've not assigned the sync related permissions, so ideally a permission denied message should pop up.

Comment 4 Partha Aji 2011-09-20 22:11:50 UTC
So you should not be getting the "500" when you hit the sync management page, I suspect its related to the fact that pulp is not setup to work on multi user oauth with katello yet. That work is still incomplete AFAIK. 
Can you paste the stack trace in katello/production.log when you get this error?

Comment 5 Sachin Ghai 2011-10-03 05:50:37 UTC
I re-verified this defect with new builds:

[root@dhcp201-187 ~]# rpm -qa | grep katello
katello-cli-0.1.10-1.git.436.ebcad79.fc15.noarch
katello-0.1.85-1.git.70.844626c.fc15.noarch
katello-configure-0.1.3-1.git.0.403cd32.fc15.noarch
[root@dhcp201-187 ~]# 


Now, I can traverse the sync management tab. And this time UI doesn't throws any error like I stated in comment3.

I can traverse the "sync management tab". 

So my question is : 

Is it expected behaviour ? Ideally UI should raise the permission denied message because the user with which I login doesn't have sync related permissions.


I used the same permissions as stated in comment3.


log from katello/production.log is 

--
Started GET "/katello//sync_management/index" for 10.65.193.48 at Mon Oct 03 11:10:22 +0530 2011
  Processing by SyncManagementController#index as HTML
Rendered sync_management/_products.html.haml (2.4ms)
Rendered layouts/_ajax_notices.haml (2.3ms)
Rendered layouts/_notification.haml (0.1ms)
Rendered layouts/_org.haml (0.7ms)
Rendered layouts/_header.haml (4.8ms)
Rendered layouts/_footer.haml (0.6ms)
Rendered common/_common_i18n.html.haml (0.2ms)
Rendered sync_management/index.html.haml within layouts/katello (244.3ms)
Completed 200 OK in 265ms (Views: 212.7ms | ActiveRecord: 38.8ms)
--

Comment 6 Mike McCune 2012-01-26 19:38:58 UTC
mass move to CFSE product.

Comment 7 Partha Aji 2012-02-10 00:21:35 UTC
Issue in comment # 3 now should ve been fixed. You should not be able to navigate to the sync management page and you should see a 403 permission denied error on the screen if you tried to add "/katello//sync_management/index" to the URL and tried to visit the page.

Comment 8 Corey Welton 2012-02-10 14:37:16 UTC
I had a user with system permissions.  I manually pasted in the URL for promotions, and got a 403, as expected. However, I did not see any ensuing error message sent to the Notification view, as seen by either the user or the admin user.

Comment 9 Corey Welton 2012-02-10 14:45:05 UTC
Oh, so this bug is not referring to the actual notifications subsystem but rather just a notice (the former might be nice...)

QA Verified.


Note You need to log in before you can comment on or make changes to this bug.