751091 – Resource tree fails to render for non inventory manager

Bug 751091 - Resource tree fails to render for non inventory manager

Summary: Resource tree fails to render for non inventory manager

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RHQ Project
Classification:	Other
Component:	Core Server
Sub Component:
Version:	4.2
Hardware:	All
OS:	All
Priority:	medium
Severity:	urgent
Target Milestone:	---
Target Release:	JON 3.0.0,RHQ 4.3.0
Assignee:	Jay Shaughnessy
QA Contact:	Mike Foley
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	750897 773235 (view as bug list)
Depends On:
Blocks:	jon30-sprint8
TreeView+	depends on / blocked

Reported:	2011-11-03 14:03 UTC by Jay Shaughnessy
Modified:	2012-02-07 19:19 UTC (History)
CC List:	3 users (show)
Fixed In Version:	4.3
Clone Of:
Environment:
Last Closed:	2012-02-07 19:19:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jay Shaughnessy 2011-11-03 14:03:08 UTC

Non-inventory managers will get a permission error trying to render
the resource tree when navigating to any resource detail view.

Comment 1 Jay Shaughnessy 2011-11-03 14:05:41 UTC

This problem is due to the fix that went in for bug 734592.  It used a
ResourceCriteria.fetchParentResource(true), which for security
reasons requires Manage Inventory global perm.

The fix will have to avoid that call.

Comment 2 Jay Shaughnessy 2011-11-03 15:45:54 UTC

master         commit: a65ee3a2aff51ebba00fc897839d4719467830c0
release_jon3.x commit: 09e73f804a69af9899213f75944cc8443cfa905a

Remove use of ResourceCriteria.fetchParentResource(true) to support
AutoGroup naming. Instead, make use of the fact that the needed
resource information is available in an ancestral ResourceTreeNode.
This approach avoids the need for inventory manager perm (required
for fetchParentResource) and also the potential inabaility to
query for the resource on-demand, as it could be unavailable (locked)
to the user (but the locked resource tree node has what we need).

Test Notes:
* Testing should be done with Inventory manager and Non-Inventory Manager
users.
* bug 734592 should be re-qualified as this reimplements the fix 
previously made for that bug. A suggested test sequence:

0) IF ALREADY IMPORTED, UN-IMPORT the  RHQ Server resource

1) Import RHQ Server resource

2) As rhqadmin, ensure tree rendering and autogroup naming is correct

3) Create a new recursive group test-734592-group
3.1) Add all of the children of the RHQ Server resource (this is made 
easier by adding the RHQ Server, letting it recursively add the children
and then going back and removing the RHQ Server resource)

4) Create a role test-734592-role
4.1) just the default read perms
4.2) assign the new test group

5) Create a new user test-734592-user 
5.1) Assign the new test role

6) Login as the new test user

7) Navigate to a Datasource resource

8) The tree should render and the RHQ Server should show as locked

9) Click on the Datasources AutoGroup node.

10) Verify that the  AG name is correct (no nulls, shows name of RHQ 
Server resource).

Perform any other relevant testing that you can think of.

Comment 3 Heiko W. Rupp 2011-11-03 16:45:18 UTC

*** Bug 750897 has been marked as a duplicate of this bug. ***

Comment 4 Mike Foley 2011-11-04 17:14:56 UTC

verified 11/4/2011

Comment 5 Lukas Krejci 2012-01-27 19:51:44 UTC

*** Bug 773235 has been marked as a duplicate of this bug. ***

Comment 6 Mike Foley 2012-02-07 19:19:59 UTC

changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE

Note You need to log in before you can comment on or make changes to this bug.