Bug 753883 - MODIFY_RESOURCE Resource perm should be required in order to delete ResourceErrors
Summary: MODIFY_RESOURCE Resource perm should be required in order to delete ResourceE...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: RHQ Project
Classification: Other
Component: Core Server, Core UI
Version: 4.2
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: RHQ 4.3.0,JON 3.0.0
Assignee: Ian Springer
QA Contact: Mike Foley
URL:
Whiteboard:
Depends On:
Blocks: jon30-sprint9 jon30-sprint8
TreeView+ depends on / blocked
 
Reported: 2011-11-14 18:33 UTC by Ian Springer
Modified: 2013-08-06 00:42 UTC (History)
3 users (show)

Fixed In Version: 4.3
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-02-07 19:24:19 UTC
Embargoed:


Attachments (Terms of Use)

Description Ian Springer 2011-11-14 18:33:21 UTC
ResourceManagerBean.deleteResourceError() currently only checks that the subject has VIEW_RESOURCE.

We should:

1) update ResourceManagerBean.deleteResourceError() to require MODIFY_RESOURCE

2) update the GUI (ResourceErrorsView) to gray out the Delete button if the user does not have MODIFY_RESOURCE

Comment 1 Ian Springer 2011-11-14 23:03:25 UTC
Fixed:

[master c6e550f]
[release_jon3.x 3a8916b]

Comment 2 Mike Foley 2011-11-15 18:36:09 UTC
i see some correct behavior ... but also have a question.


first...the correct behavior:
i created a group.
i created a role that included this group.  for this role, i first did not set manage inventory....and had read permission (but not write) for inventory.  
i created a user that belonged to this group.
i logged in as this user, and this user could view,  and not delete the group.
PASS


then

i added write permission for inventory.  
i logged in as the user again.
this user still could not delete the group.
UNSURE IF THIS IS PASS OR FAIL

then

i added global permission for manage inventory.
i logged in as the user again.
this user could delete the group.
PASS

so now my questions:  
1) does VIEW_RESOURCE and MODIFY_RESOURCE corresspond to the resource permissions for inventory  or to the global authorization for manage inventory?
2) test #2 above ... is that behavior correct?  i sort of expected that to PASS.
3) can you clarify the test to verify this?  it is not clear to me .

Comment 3 Ian Springer 2011-11-16 16:47:58 UTC
That's the expected behavior. The global MANAGE_INVENTORY permission is required to delete a group (it's also required to create groups). If a user only has the inventory-write perm (aka MODIFY_RESOURCE) for a group, that's not sufficient to delete it.

Comment 4 Charles Crouch 2011-11-29 16:02:15 UTC
This is related to the hudson failure on Monday 28th, so setting back to ON_QA to confirm this is resolved in the release branch

Comment 5 Sunil Kondkar 2011-12-02 09:31:34 UTC
Verified in build#114 in release_jon3.x branch

Changed the JBoss AS 5 server principal and credentials to incorrect values. It displayed a yellow triangle showing resource errors.

Created a compatible group of JBoss AS 5 resources. Created a user. Created a role with 'Inventory-read' (VIEW_RESOURCE) permissions and assigned compatible group and user to this role.

Logged in as the user and navigated to the summary tab of the JBoss AS 5 resource.
Clicked on the yellow triangle showing resource errors.

Selected the error and observed that the 'Delete' button is not enabled as expected.

Logged in to RHQ as rhqadmin and changed the role permissions to resource level inventory-write (MODIFY_RESOURCE).

Logged in as the user and verified that selecting the error in JBoss AS 5 resource error modal enables the 'Delete' button. Clicking the 'Delete' button deletes the error from modal and displays message in UI and message center.

Marking as verified.

Comment 6 Mike Foley 2012-02-07 19:24:19 UTC
changing status of VERIFIED BZs for JON 2.4.2 and JON 3.0 to CLOSED/CURRENTRELEASE

Comment 7 Mike Foley 2012-02-07 19:26:28 UTC
marking VERIFIED JON 3 bugs to CLOSED/CURRENTRELEASE


Note You need to log in before you can comment on or make changes to this bug.