731204 – Notices need to be sent on permission denied

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 731204 - Notices need to be sent on permission denied

Summary: Notices need to be sent on permission denied

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	Unspecified
Assignee:	Partha Aji
QA Contact:	Sachin Ghai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-08-16 23:05 UTC by Partha Aji
Modified:	2019-09-26 17:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 21:01:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Partha Aji 2011-08-16 23:05:38 UTC

If the user visits a page/performs an operation for which he/she is not authorized, a permission denied notice needs to be sent.

Comment 1 Jason E. Rist 2011-08-17 19:24:30 UTC

In roles-ui

Comment 2 Partha Aji 2011-08-17 19:25:40 UTC

For Ajax calls

Comment 3 Sachin Ghai 2011-09-05 10:26:11 UTC

I verified this with following katello version:
katello-0.1.75-1.git.41.2e9f377.fc15.noarch

I created a user and assigned a newly created role.  That role includes following permissions. 

Permission for org:
access organization
access systems

Permissions for Environment:
Access Changeset in Env
Access env contents
Access systems in Env

Permissions for Provider:
Access provider
Create provider

Permissions for users:
Access users
Create users


When I login with newly created user which has all above permissions and click on sync mgmt tab under content management, UI throws following error:

>> We're sorry, but something went wrong.
>> We've been notified about this issue and we'll take a look at it shortly.

Since I've not assigned the sync related permissions, so ideally a permission denied message should pop up.

Comment 4 Partha Aji 2011-09-20 22:11:50 UTC

So you should not be getting the "500" when you hit the sync management page, I suspect its related to the fact that pulp is not setup to work on multi user oauth with katello yet. That work is still incomplete AFAIK. 
Can you paste the stack trace in katello/production.log when you get this error?

Comment 5 Sachin Ghai 2011-10-03 05:50:37 UTC

I re-verified this defect with new builds:

[root@dhcp201-187 ~]# rpm -qa | grep katello
katello-cli-0.1.10-1.git.436.ebcad79.fc15.noarch
katello-0.1.85-1.git.70.844626c.fc15.noarch
katello-configure-0.1.3-1.git.0.403cd32.fc15.noarch
[root@dhcp201-187 ~]# 


Now, I can traverse the sync management tab. And this time UI doesn't throws any error like I stated in comment3.

I can traverse the "sync management tab". 

So my question is : 

Is it expected behaviour ? Ideally UI should raise the permission denied message because the user with which I login doesn't have sync related permissions.


I used the same permissions as stated in comment3.


log from katello/production.log is 

--
Started GET "/katello//sync_management/index" for 10.65.193.48 at Mon Oct 03 11:10:22 +0530 2011
  Processing by SyncManagementController#index as HTML
Rendered sync_management/_products.html.haml (2.4ms)
Rendered layouts/_ajax_notices.haml (2.3ms)
Rendered layouts/_notification.haml (0.1ms)
Rendered layouts/_org.haml (0.7ms)
Rendered layouts/_header.haml (4.8ms)
Rendered layouts/_footer.haml (0.6ms)
Rendered common/_common_i18n.html.haml (0.2ms)
Rendered sync_management/index.html.haml within layouts/katello (244.3ms)
Completed 200 OK in 265ms (Views: 212.7ms | ActiveRecord: 38.8ms)
--

Comment 6 Mike McCune 2012-01-26 19:38:58 UTC

mass move to CFSE product.

Comment 7 Partha Aji 2012-02-10 00:21:35 UTC

Issue in comment # 3 now should ve been fixed. You should not be able to navigate to the sync management page and you should see a 403 permission denied error on the screen if you tried to add "/katello//sync_management/index" to the URL and tried to visit the page.

Comment 8 Corey Welton 2012-02-10 14:37:16 UTC

I had a user with system permissions.  I manually pasted in the URL for promotions, and got a 403, as expected. However, I did not see any ensuing error message sent to the Notification view, as seen by either the user or the admin user.

Comment 9 Corey Welton 2012-02-10 14:45:05 UTC

Oh, so this bug is not referring to the actual notifications subsystem but rather just a notice (the former might be nice...)

QA Verified.

Note You need to log in before you can comment on or make changes to this bug.