Description of problem: I created a new user (readuser) and assigned "Read Everything" role. Assuming that this role has "read only" permissions, I login with readuser and can see all the tabs. However I noticed this read only user has some extra permissions to create: - Role - provider. - add new org - Delete org - add new system - remove system. Version-Release number of selected component (if applicable): [root@dhcp201-197 home]# rpm -qa | grep katello katello-glue-pulp-0.1.155-1.el6.noarch katello-configure-0.1.48-1.el6.noarch katello-trusted-ssl-cert-1.0-1.noarch katello-cli-common-0.1.31-1.el6.noarch katello-glue-foreman-0.1.155-1.el6.noarch katello-common-0.1.155-1.el6.noarch katello-httpd-ssl-key-pair-1.0-1.noarch katello-0.1.155-1.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-repos-0.1.4-1.el6.noarch katello-cli-0.1.31-1.el6.noarch katello-glue-candlepin-0.1.155-1.el6.noarch katello-all-0.1.155-1.el6.noarch katello-certs-tools-1.0.1-1.el6.noarch How reproducible: always Steps to Reproduce: 1. Login with admin user 2. Create a new user 'readuser' 3. Assign "Read Everything" role to "readuser" 4. Login with "readuser" 5. Try to create new provider 6. Try to create new role and assign permissions Actual results: Read only user has some extra permissions to create: - Role - provider. - add new org - Delete org - add new system - remove system. Expected results: A user which has read only permissions shouldn't be able to create/add and define anything. Additional info:
Cannot reproduce this behavior following the above steps.
The reported issue is still reproducible with the steps listed in description. I reproduced the same issue on latest katello build 0-1-167. [root@dhcp201-214 ~]# rpm -qa | grep katello katello-configure-0.1.49-1.el6.noarch katello-0.1.167-1.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-cli-common-0.1.33-1.el6.noarch katello-glue-foreman-0.1.167-1.el6.noarch katello-trusted-ssl-cert-1.0-1.noarch katello-glue-candlepin-0.1.167-1.el6.noarch katello-glue-pulp-0.1.167-1.el6.noarch katello-httpd-ssl-key-pair-1.0-1.noarch katello-repos-0.1.4-1.el6.noarch katello-cli-0.1.33-1.el6.noarch katello-common-0.1.167-1.el6.noarch katello-all-0.1.167-1.el6.noarch katello-certs-tools-1.0.1-1.el6.noarch Please see the attachment in next comment where I was able to create a custom provider with readuser which has assigned Read Everything role.
Created attachment 551132 [details] Created a new provider with read only user.
Should be resolved as of http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=7fc9f11393fae097de79c6b0573181f035c7faa4
verified with following katello build: [root@dhcp201-176 ~]# rpm -qa | grep katello katello-glue-candlepin-0.1.178-1.el6.noarch katello-trusted-ssl-cert-1.0-1.noarch katello-common-0.1.178-1.el6.noarch katello-httpd-ssl-key-pair-1.0-1.noarch katello-repos-testing-0.1.5-1.el6.noarch katello-cli-0.1.35-1.el6.noarch katello-0.1.178-1.el6.noarch katello-configure-0.1.53-1.el6.noarch katello-glue-pulp-0.1.178-1.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-cli-common-0.1.35-1.el6.noarch katello-certs-tools-1.0.2-1.el6.noarch katello-all-0.1.178-1.el6.noarch katello-glue-foreman-0.1.178-1.el6.noarch katello-repos-0.1.5-1.el6.noarch Now read only user can only read..no access to create provider/org/role/system. Also can not delete org and system