Bug 787979 - SecurityViolation error while clicking the auto heal check box using read only user
Summary: SecurityViolation error while clicking the auto heal check box using read onl...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: WebUI
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
high
high vote
Target Milestone: Unspecified
Assignee: Tom McKay
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-02-07 07:05 UTC by Sachin Ghai
Modified: 2019-09-26 13:30 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-22 18:25:13 UTC
Target Upstream Version:

Attachments (Terms of Use)
Complete error log from production.log (7.63 KB, application/octet-stream)
2012-02-07 07:09 UTC, Sachin Ghai 		no flags Details
enabled check box with read only user (69.46 KB, image/png)
2012-02-07 07:10 UTC, Sachin Ghai 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Sachin Ghai 2012-02-07 07:05:11 UTC 
Description of problem:
I was testing the user roles. A system was already register with admin user. However when I login with read only user and go to the systems tab and selected the subscription sub tab from right pane, found that few check boxes were enable. Ideally with read only user these check boxes should be set to disable.

When I clicked on autoheal check box, a long backtrace generated in production.log.

---
Started POST "/katello/systems/1" for 10.65.193.48 at Tue Feb 07 06:31:03 -0500 2012
  Processing by SystemsController#update as HTML
  Parameters: {"id"=>"1", "authenticity_token"=>"2bL/yVTy54rdStWx5GO1OFv7tP5mJYYjiHwvs8m2i7Q=", "autoheal"=>"false", "utf8"=>"✓"}
User reader is not allowed to access systems/update
User reader is not allowed to access systems/update
#<Errors::SecurityViolation: User reader is not allowed to access systems/update>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__726213939__process_action__1614930260__callbacks'
/usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2744'
----
<truncate>

Version-Release number of selected component (if applicable):

katello-configure-0.1.55-2.el6.noarch
katello-glue-candlepin-0.1.211-2.el6.noarch
katello-cli-common-0.1.44-2.el6.noarch
katello-common-0.1.211-2.el6.noarch
katello-selinux-0.1.3-1.el6.noarch
katello-httpd-ssl-key-pair-1.0-1.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-pulp-0.1.211-2.el6.noarch
katello-0.1.211-2.el6.noarch
katello-certs-tools-1.0.2-2.el6.noarch
katello-glue-foreman-0.1.211-2.el6.noarch
katello-trusted-ssl-cert-1.0-1.noarch
katello-all-0.1.211-2.el6.noarch
katello-cli-0.1.44-2.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. register a machine using admin user
2. create a read only user 'reader'
3. Login with user 'reader'
4  go to systems tab ==>subscription
5. click on autoheal checkbox

Actual results:
Error with long backtrace in production.log

Expected results:
I think all check boxes should be disabled for read only user otherwise no backtrace should be there in production.log instead of this UI should raise a permission denied message.

Additional info:
Comment 1 Sachin Ghai 2012-02-07 07:09:09 UTC 
Created attachment 559853 [details]
Complete error log from production.log
Comment 2 Sachin Ghai 2012-02-07 07:10:53 UTC 
Created attachment 559854 [details]
enabled check box with read only user
Comment 4 Tom McKay 2012-03-01 17:30:33 UTC 
commit 28922108dbab695c444fc99f4e9cb645f565f5a2
Author: Tom McKay <thomasmckay>
Date:   Thu Mar 1 12:29:13 2012 -0500

    787979 - auto-heal checkbox only enabled if system editable
Comment 7 Corey Welton 2012-03-07 21:26:22 UTC 
Verified in brew build fixed in brew build 0.1.303-1.el6
Note You need to log in before you can comment on or make changes to this bug.