770418 – Read only user shouldn't have extra permissions to add new roles, org and provider etc.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 770418 - Read only user shouldn't have extra permissions to add new roles, org and provider etc.

Summary: Read only user shouldn't have extra permissions to add new roles, org and pro...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	Unspecified
Assignee:	Partha Aji
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	katello-blockers
TreeView+	depends on / blocked

Reported:	2011-12-26 12:05 UTC by Sachin Ghai
Modified:	2019-09-26 13:27 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 18:16:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Created a new provider with read only user. (48.43 KB, image/png) 2012-01-06 11:53 UTC, Sachin Ghai	no flags	Details
View All

Description Sachin Ghai 2011-12-26 12:05:00 UTC

Description of problem:
I created a new user (readuser) and assigned "Read Everything" role. Assuming that this role has "read only" permissions, I login with readuser and can see all the tabs. However I noticed this read only user has some extra permissions to create:

- Role
- provider.
- add new org
- Delete org
- add new system
- remove system.

Version-Release number of selected component (if applicable):
[root@dhcp201-197 home]# rpm -qa | grep katello
katello-glue-pulp-0.1.155-1.el6.noarch
katello-configure-0.1.48-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-cli-common-0.1.31-1.el6.noarch
katello-glue-foreman-0.1.155-1.el6.noarch
katello-common-0.1.155-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-0.1.155-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-repos-0.1.4-1.el6.noarch
katello-cli-0.1.31-1.el6.noarch
katello-glue-candlepin-0.1.155-1.el6.noarch
katello-all-0.1.155-1.el6.noarch
katello-certs-tools-1.0.1-1.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. Login with admin user
2. Create a new user 'readuser'
3. Assign "Read Everything" role to "readuser"
4. Login with "readuser"
5. Try to create new provider
6. Try to create new role and assign permissions

Actual results:
Read only user has some extra permissions to create:

- Role
- provider.
- add new org
- Delete org
- add new system
- remove system.

Expected results:
A user which has read only permissions shouldn't be able to create/add and define anything.

Additional info:

Comment 1 Eric Helms 2012-01-04 20:12:27 UTC

Cannot reproduce this behavior following the above steps.

Comment 2 Sachin Ghai 2012-01-06 11:52:04 UTC

The reported issue is still reproducible with the steps listed in description. I reproduced the same issue on latest katello build 0-1-167.

[root@dhcp201-214 ~]# rpm -qa | grep katello
katello-configure-0.1.49-1.el6.noarch
katello-0.1.167-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-common-0.1.33-1.el6.noarch
katello-glue-foreman-0.1.167-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-glue-candlepin-0.1.167-1.el6.noarch
katello-glue-pulp-0.1.167-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-repos-0.1.4-1.el6.noarch
katello-cli-0.1.33-1.el6.noarch
katello-common-0.1.167-1.el6.noarch
katello-all-0.1.167-1.el6.noarch
katello-certs-tools-1.0.1-1.el6.noarch

Please see the attachment in next comment where I was able to create a custom provider with readuser which has assigned Read Everything role.

Comment 3 Sachin Ghai 2012-01-06 11:53:51 UTC

Created attachment 551132 [details]
Created a new provider with read only user.

Comment 4 Partha Aji 2012-01-10 01:46:00 UTC

Should be resolved as of
http://git.fedorahosted.org/git/?p=katello.git;a=commit;h=7fc9f11393fae097de79c6b0573181f035c7faa4

Comment 5 Sachin Ghai 2012-01-18 12:48:15 UTC

verified with following katello build:

[root@dhcp201-176 ~]# rpm -qa | grep katello
katello-glue-candlepin-0.1.178-1.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-common-0.1.178-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-repos-testing-0.1.5-1.el6.noarch
katello-cli-0.1.35-1.el6.noarch
katello-0.1.178-1.el6.noarch
katello-configure-0.1.53-1.el6.noarch
katello-glue-pulp-0.1.178-1.el6.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-cli-common-0.1.35-1.el6.noarch
katello-certs-tools-1.0.2-1.el6.noarch
katello-all-0.1.178-1.el6.noarch
katello-glue-foreman-0.1.178-1.el6.noarch
katello-repos-0.1.5-1.el6.noarch


Now read only user can only read..no access to create provider/org/role/system.
Also can not delete org and system

Note You need to log in before you can comment on or make changes to this bug.