Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
I was testing the user roles. A system was already register with admin user. However when I login with read only user and go to the systems tab and selected the subscription sub tab from right pane, found that few check boxes were enable. Ideally with read only user these check boxes should be set to disable.
When I clicked on autoheal check box, a long backtrace generated in production.log.
---
Started POST "/katello/systems/1" for 10.65.193.48 at Tue Feb 07 06:31:03 -0500 2012
Processing by SystemsController#update as HTML
Parameters: {"id"=>"1", "authenticity_token"=>"2bL/yVTy54rdStWx5GO1OFv7tP5mJYYjiHwvs8m2i7Q=", "autoheal"=>"false", "utf8"=>"✓"}
User reader is not allowed to access systems/update
User reader is not allowed to access systems/update
#<Errors::SecurityViolation: User reader is not allowed to access systems/update>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__726213939__process_action__1614930260__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2744'
----
<truncate>
Version-Release number of selected component (if applicable):
katello-configure-0.1.55-2.el6.noarch
katello-glue-candlepin-0.1.211-2.el6.noarch
katello-cli-common-0.1.44-2.el6.noarch
katello-common-0.1.211-2.el6.noarch
katello-selinux-0.1.3-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-pulp-0.1.211-2.el6.noarch
katello-0.1.211-2.el6.noarch
katello-certs-tools-1.0.2-2.el6.noarch
katello-glue-foreman-0.1.211-2.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-all-0.1.211-2.el6.noarch
katello-cli-0.1.44-2.el6.noarch
How reproducible:
always
Steps to Reproduce:
1. register a machine using admin user
2. create a read only user 'reader'
3. Login with user 'reader'
4 go to systems tab ==>subscription
5. click on autoheal checkbox
Actual results:
Error with long backtrace in production.log
Expected results:
I think all check boxes should be disabled for read only user otherwise no backtrace should be there in production.log instead of this UI should raise a permission denied message.
Additional info:
commit 28922108dbab695c444fc99f4e9cb645f565f5a2
Author: Tom McKay <thomasmckay>
Date: Thu Mar 1 12:29:13 2012 -0500
787979 - auto-heal checkbox only enabled if system editable
Description of problem: I was testing the user roles. A system was already register with admin user. However when I login with read only user and go to the systems tab and selected the subscription sub tab from right pane, found that few check boxes were enable. Ideally with read only user these check boxes should be set to disable. When I clicked on autoheal check box, a long backtrace generated in production.log. --- Started POST "/katello/systems/1" for 10.65.193.48 at Tue Feb 07 06:31:03 -0500 2012 Processing by SystemsController#update as HTML Parameters: {"id"=>"1", "authenticity_token"=>"2bL/yVTy54rdStWx5GO1OFv7tP5mJYYjiHwvs8m2i7Q=", "autoheal"=>"false", "utf8"=>"✓"} User reader is not allowed to access systems/update User reader is not allowed to access systems/update #<Errors::SecurityViolation: User reader is not allowed to access systems/update> /usr/share/katello/lib/authorization_rules.rb:31:in `authorize' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__726213939__process_action__1614930260__callbacks' /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2744' ---- <truncate> Version-Release number of selected component (if applicable): katello-configure-0.1.55-2.el6.noarch katello-glue-candlepin-0.1.211-2.el6.noarch katello-cli-common-0.1.44-2.el6.noarch katello-common-0.1.211-2.el6.noarch katello-selinux-0.1.3-1.el6.noarch katello-httpd-ssl-key-pair-1.0-1.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-glue-pulp-0.1.211-2.el6.noarch katello-0.1.211-2.el6.noarch katello-certs-tools-1.0.2-2.el6.noarch katello-glue-foreman-0.1.211-2.el6.noarch katello-trusted-ssl-cert-1.0-1.noarch katello-all-0.1.211-2.el6.noarch katello-cli-0.1.44-2.el6.noarch How reproducible: always Steps to Reproduce: 1. register a machine using admin user 2. create a read only user 'reader' 3. Login with user 'reader' 4 go to systems tab ==>subscription 5. click on autoheal checkbox Actual results: Error with long backtrace in production.log Expected results: I think all check boxes should be disabled for read only user otherwise no backtrace should be there in production.log instead of this UI should raise a permission denied message. Additional info: