Bug 740972 - Should View Providers be implicit for Remove Providers Role?
Summary: Should View Providers be implicit for Remove Providers Role?
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Security
Version: Nightly
Hardware: Unspecified
OS: Unspecified
low
low vote
Target Milestone: Unspecified
Assignee: Partha Aji
QA Contact: Tazim Kolhar
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-09-24 00:25 UTC by Corey Welton
Modified: 2019-09-26 18:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-02 14:07:39 UTC


Attachments (Terms of Use)

Description Corey Welton 2011-09-24 00:25:57 UTC
Description of problem:
A user/role which grants/who has only has Remove Provider verb cannot actually see any providers in order to be able to remove any.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a new user, "removeproviders"
2. Create a new role, "removeproviders_role"
3. Grant new permission, "removeproviders_perm" with verb "Remove Providers"
4. Login with user 'removeproviders'
5. Navigate to Content Management tab  

Actual results:
User cannot see any providers!

Expected results:
I'm not sure if this is a bug or not but it sure is awkward. Submitting for dev/uxd consideration.

Additional info:

Comment 1 Corey Welton 2011-09-24 00:31:43 UTC
FWIW, other CRUD roles - particularly, Create and Manage, both do seem to implicitly allow read access too

Comment 2 Partha Aji 2011-10-13 00:07:00 UTC
In Katello Create/Update/Remove automatically implies read.

But I am unable to reproduce this issue. Is it possible that you had "Remove" with no specific provider selected? Try selecting a specific provider for this remove provider permission and let me know if you can't read still do the read. You can also say the user can remove all providers in the permission. Either way 'Remove' will only work if you have a provider you can remove. Merely selecting the verb won't do much good. Any I am going to resolve this as ON_QA. Fail back if you are still hitting this issue.

Comment 3 Corey Welton 2011-12-16 14:03:21 UTC
I just confirmed this still happens.  User was created, and granted a (global) role with only one permission - delete providers.  However, upon logging in, user cannot see providers from the Content Management > Providers tab.

Comment 4 Corey Welton 2011-12-16 14:05:17 UTC
BTW, version (re)tested in comment #3 above:

katello-glue-foreman-0.1.145-1.git.0.57471e6.el6.noarch
katello-all-0.1.145-1.git.0.57471e6.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-certs-tools-1.0.1-2.el6.noarch
katello-repos-0.1.3-1.git.0.db2bd1d.el6.noarch
katello-common-0.1.145-1.git.0.57471e6.el6.noarch
katello-configure-0.1.37-1.git.11.fac6c90.el6.noarch
katello-cli-0.1.28-1.git.0.5dc3631.el6.noarch
katello-cli-common-0.1.28-1.git.0.5dc3631.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-glue-pulp-0.1.145-1.git.0.57471e6.el6.noarch
katello-glue-candlepin-0.1.145-1.git.0.57471e6.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-0.1.145-1.git.0.57471e6.el6.noarch

Comment 5 Corey Welton 2011-12-16 14:07:00 UTC
Partha, please note:

"User cannot see any providers!"

As such, re: "Is it possible that you had "Remove"with no specific provider selected?" - this would be impossible. I cannot remove providers if I cannot see them in the first place.

Comment 6 Eric Helms 2013-01-22 19:17:09 UTC
This appears to be working upstream as of 909cf6dc7ea400013a06f1e3494d216ee67e5bee

Comment 7 Bryan Kearney 2014-01-21 19:07:09 UTC
Moving to Sat6 to be tracked there. Upstream bugs are moving to redmine.

Comment 10 Tazim Kolhar 2014-05-13 07:38:38 UTC
VERIFIED

Comment 11 Bryan Kearney 2014-07-02 14:07:39 UTC
This was delivered with 6.0.3, which is the Satellite 6 Beta.


Note You need to log in before you can comment on or make changes to this bug.