ResourceManagerBean.deleteResourceError() currently only checks that the subject has VIEW_RESOURCE. We should: 1) update ResourceManagerBean.deleteResourceError() to require MODIFY_RESOURCE 2) update the GUI (ResourceErrorsView) to gray out the Delete button if the user does not have MODIFY_RESOURCE
Fixed: [master c6e550f] [release_jon3.x 3a8916b]
i see some correct behavior ... but also have a question. first...the correct behavior: i created a group. i created a role that included this group. for this role, i first did not set manage inventory....and had read permission (but not write) for inventory. i created a user that belonged to this group. i logged in as this user, and this user could view, and not delete the group. PASS then i added write permission for inventory. i logged in as the user again. this user still could not delete the group. UNSURE IF THIS IS PASS OR FAIL then i added global permission for manage inventory. i logged in as the user again. this user could delete the group. PASS so now my questions: 1) does VIEW_RESOURCE and MODIFY_RESOURCE corresspond to the resource permissions for inventory or to the global authorization for manage inventory? 2) test #2 above ... is that behavior correct? i sort of expected that to PASS. 3) can you clarify the test to verify this? it is not clear to me .
That's the expected behavior. The global MANAGE_INVENTORY permission is required to delete a group (it's also required to create groups). If a user only has the inventory-write perm (aka MODIFY_RESOURCE) for a group, that's not sufficient to delete it.
This is related to the hudson failure on Monday 28th, so setting back to ON_QA to confirm this is resolved in the release branch
Verified in build#114 in release_jon3.x branch Changed the JBoss AS 5 server principal and credentials to incorrect values. It displayed a yellow triangle showing resource errors. Created a compatible group of JBoss AS 5 resources. Created a user. Created a role with 'Inventory-read' (VIEW_RESOURCE) permissions and assigned compatible group and user to this role. Logged in as the user and navigated to the summary tab of the JBoss AS 5 resource. Clicked on the yellow triangle showing resource errors. Selected the error and observed that the 'Delete' button is not enabled as expected. Logged in to RHQ as rhqadmin and changed the role permissions to resource level inventory-write (MODIFY_RESOURCE). Logged in as the user and verified that selecting the error in JBoss AS 5 resource error modal enables the 'Delete' button. Clicking the 'Delete' button deletes the error from modal and displays message in UI and message center. Marking as verified.
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE
marking VERIFIED JON 3 bugs to CLOSED/CURRENTRELEASE