Description of problem:
I created some customized roles and assigned them to a user. But when I tried to perform some action for which I don't have necessary privileges, I got a permission denied message under systems tab. And this hides other tabs.
Here are couple of examples to reproduce.
1. Create a role with following permissions and assign this role to a user eg newuser
Permissions for User
- Access user
- Update user
Permissions for Roles:
- Access roles
- Update roles
2. When you login with 'newuser', you will get 3 tabs ( see attachment1 [details])
if you click on systems tab you will get the permission denied message. and this hides the administration tab. (see attachement2)
Ideally in this case, systems tab should not appear because I didn't choose any permission related to system.
Create a role with following permissions and assign this role to a newuser:
Permission for org:
- access organization
- access systems
Permissions for Environment:
- Access Changeset in Env
- Access env contents
- Access systems in Env
Permissions for Provider:
- Access provider
Permissions for users:
- Access users
Now if you click on 'Content Management' ==> 'promotions'; you will get a permission denied message under 'systems' tab.
Ideally 'permission denied' msg should be displayed under 'promotion' tab instead of systems tab and should not hide other tabs.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
For all unauthorized operations 'permission denied' message should appear under respective tabs instead of systems tab and shouldn't hide other tabs
Created attachment 521633 [details]
Login with user that has permission to access users/roles; Shows three tabs
Instead of three tab there should be only two tabs( Dashboard, Administration) since the user has permission to access users/roles, not systems
Created attachment 521634 [details]
'permission denied' msg under systems tab; also this hides other accessible tabs
This should be fixed with http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=bcb059288221504efc36fde2d5551a66802157c9
I am able to access the promotions page in the 2nd test. That seems unexpected to me, since there was no permission added for that. Partha: comment?
Permissions for promotions page is a little tricky. For starters a general guide for the rules is in https://fedorahosted.org/katello/wiki/PermissionMatrix#Promotionpages
(even though that link needs to be updated for ActivationKeys & SystemTemplates)
In general you get access to promotion page if any of these conditions are true
1) You have access rights on changesets in any environment in the current organization.
2) You have access content rights on any environment in the organization.
So Jeff to answer your question, it depends on what you selected for the Tags. If you selected access change set/access contents for any environment in the org, you'll be able to access the promotion page.
One the page itself, the left pane will be disabled if you don't have "access contents" on the current environment and the right pane will be disabled if you don't have "access changeset" to the "next" environment in the path.
Ok, based on this the test is working as expected. Verified, katello-0.1.84-1.git.26.51fa1e1.fc14.noarch