Bug 735975 - 'Remove User' shouldn't be active If assigned role has access/update related permissions
Summary: 'Remove User' shouldn't be active If assigned role has access/update related ...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: WebUI
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: Partha Aji
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: katello-blockers
TreeView+ depends on / blocked
 
Reported: 2011-09-06 10:50 UTC by Sachin Ghai
Modified: 2013-03-27 21:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-22 17:55:27 UTC


Attachments (Terms of Use)
Remove user on top right of 'Edit User' window (29.46 KB, image/png)
2011-09-06 10:53 UTC, Sachin Ghai
no flags Details
"Remove user" is activated on top right of 'Edit User' window (36.32 KB, image/png)
2011-10-03 06:29 UTC, Sachin Ghai
no flags Details
"Remove user" is removed on top right of 'Edit User' window with the permissions mentioned in defect's description (37.50 KB, image/png)
2011-12-23 11:45 UTC, Sachin Ghai
no flags Details

Description Sachin Ghai 2011-09-06 10:50:18 UTC
Description of problem:
I created a customized role. That role includes following permissions:

Permissions for User 
- Access user
- Update user

Permissions for Roles:
- Access roles
- Update roles

I assigned this role to a newly created user. When I login with this user and check Roles/permissions on right pane under 'Edit User', I found that 'Remove user' is active.

Ideally Remove user shouldn't be active If assigned role has access/update related permissions. This should only be available if I choose delete user permission or should throw a permission denied message.


Version-Release number of selected component (if applicable):
katello-0.1.75-1.git.41.2e9f377.fc15.noarch

How reproducible:
always

Steps to Reproduce:
1. Login with admin user
2. Create a new user e.g. newuser
3. Create a role with above permissions
4. Assign that  role to 'newuser'
5. Login with 'newuser' 
6. Goto Administration ==> double click on 'newuser' ==> Select Roles & permissions from 'Edit User' on right pane. 
7. Click on 'Remove user' on top right of 'Edit user' window 
  
Actual results:
When you click on Remove User, nothing happens. 

Expected results:

Ideally Remove user shouldn't be active If assigned role has access/update related permissions or should throw a permission denied message. This should only be available if we choose delete user permission

Additional info:

Comment 1 Sachin Ghai 2011-09-06 10:53:56 UTC
Created attachment 521627 [details]
Remove user on top right of 'Edit User' window

Comment 2 Partha Aji 2011-09-15 16:25:07 UTC
This commit should have fixed your issue. Can't reproduce it .. Moving to ON_QA since this was done a while back..
http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=46b8fb5fbfa11dd83b29e3039e937e91fbaf5cd8

Comment 3 Sachin Ghai 2011-10-03 06:26:28 UTC
Verified again with following builds and its still reproducible:

[root@dhcp201-187 ~]# rpm -qa | grep katello
katello-cli-0.1.10-1.git.436.ebcad79.fc15.noarch
katello-0.1.85-1.git.70.844626c.fc15.noarch
katello-configure-0.1.3-1.git.0.403cd32.fc15.noarch

katello/production.log says:
==============================


Started DELETE "/katello//users/4" for 10.65.193.48 at Mon Oct 03 11:50:21 +0530 2011
  Processing by UsersController#destroy as JS
  Parameters: {"id"=>"4"}
User test_user is not allowed to access users/destroy
User test_user is not allowed to access users/destroy
#<Errors::SecurityViolation: User test_user is not allowed to access users/destroy>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:453:in `_run__434435962__process_action__988268021__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_1818'
/usr/share/katello/lib/util/threadsession.rb:77:in `thread_locals'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_1818'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:446:in `_run__434435962__process_action__988268021__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:410:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:410:in `_run_process_action_callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:94:in `send'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:94:in `run_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/callbacks.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/rescue.rb:17:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/instrumentation.rb:30:in `process_action'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications/instrumenter.rb:21:in `instrument'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/notifications.rb:52:in `instrument'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/instrumentation.rb:29:in `process_action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/base.rb:119:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/abstract_controller/rendering.rb:41:in `process'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal.rb:138:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal/rack_delegation.rb:14:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_controller/metal.rb:178:in `action'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:62:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:62:in `dispatch'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:27:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/route_set.rb:150:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:93:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:68:in `optimized_each'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/code_generation.rb:92:in `recognize'
/usr/lib/ruby/gems/1.8/gems/rack-mount-0.7.1/lib/rack/mount/route_set.rb:141:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/routing/route_set.rb:493:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:35:in `call'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `catch'
/usr/lib/ruby/gems/1.8/gems/warden-1.0.3/lib/warden/manager.rb:34:in `call'
/usr/lib/ruby/gems/1.8/gems/sass-3.1.4/lib/sass/../sass/plugin/rack.rb:54:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/best_standards_support.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/head.rb:14:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/methodoverride.rb:24:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/params_parser.rb:21:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/flash.rb:182:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/session/abstract_store.rb:149:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/cookies.rb:302:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:32:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/connection_adapters/abstract/query_cache.rb:28:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:12:in `cache'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/query_cache.rb:31:in `call'
/usr/lib/ruby/gems/1.8/gems/activerecord-3.0.10/lib/active_record/connection_adapters/abstract/connection_pool.rb:354:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/callbacks.rb:46:in `call'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:416:in `_run_call_callbacks'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/callbacks.rb:44:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/sendfile.rb:102:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/remote_ip.rb:48:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/show_exceptions.rb:47:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/rack/logger.rb:13:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/runtime.rb:17:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/lock.rb:34:in `call'
/usr/lib/ruby/gems/1.8/gems/actionpack-3.0.10/lib/action_dispatch/middleware/static.rb:30:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:168:in `call'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:77:in `send'
/usr/lib/ruby/gems/1.8/gems/railties-3.0.10/lib/rails/application.rb:77:in `method_missing'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:52:in `call'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:46:in `each'
/usr/lib/ruby/gems/1.8/gems/rack-1.3.0/lib/rack/urlmap.rb:46:in `call'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:84:in `pre_process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:82:in `catch'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:82:in `pre_process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:57:in `process'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/connection.rb:42:in `receive_data'
/usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run_machine'
/usr/lib/ruby/gems/1.8/gems/eventmachine-0.12.10/lib/eventmachine.rb:256:in `run'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/backends/base.rb:61:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/server.rb:159:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/controllers/controller.rb:86:in `start'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:185:in `send'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:185:in `run_command'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/lib/thin/runner.rb:151:in `run!'
/usr/lib/ruby/gems/1.8/gems/thin-1.2.11/bin/thin:6
/usr/share/katello/script/thin:59:in `load'
/usr/share/katello/script/thin:59
Rendered common/403.html.haml (0.6ms)
Completed 403 Forbidden in 14ms (Views: 1.1ms | ActiveRecord: 3.9ms)



Logs are correctly denying since user doesn't have appropriate permissions. However UI should also throw a proper message or deactivate the "Remove User" button.

Comment 4 Sachin Ghai 2011-10-03 06:29:06 UTC
Created attachment 525978 [details]
"Remove user" is activated on top right of 'Edit User' window

Comment 5 Partha Aji 2011-10-12 23:11:51 UTC
Thanks. Missed the " Select Roles & permissions from 'Edit User'" part in the original bug.

Should be fixed as of http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=c9018f735416ee92116e5be7821c0b8744badbcb

Comment 6 Sachin Ghai 2011-12-23 11:44:03 UTC
Verified with following katello build:

[root@dhcp201-162 ~]# rpm -qa | grep katello
katello-0.1.154-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-cli-common-0.1.30-1.el6.noarch
katello-glue-pulp-0.1.154-1.el6.noarch
katello-configure-0.1.46-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-candlepin-0.1.154-1.el6.noarch
katello-all-0.1.154-1.el6.noarch
katello-repos-0.1.4-1.el6.noarch
katello-cli-0.1.30-1.el6.noarch
katello-glue-foreman-0.1.154-1.el6.noarch
katello-common-0.1.154-1.el6.noarch
katello-certs-tools-1.0.1-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch


"Remove user" is removed from UI when we applied the roles with the permissions mentioned in defect's description.

For verification, please see the attachment in next comment.

Comment 7 Sachin Ghai 2011-12-23 11:45:09 UTC
Created attachment 549333 [details]
"Remove user" is removed on top right of 'Edit User' window with the permissions mentioned in defect's description


Note You need to log in before you can comment on or make changes to this bug.