790735 – Non admin user is able to delete the imported image after Revoking the role of "Image Administrator"

Bug 790735 - Non admin user is able to delete the imported image after Revoking the role of "Image Administrator"

Summary: Non admin user is able to delete the imported image after Revoking the role o...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	CloudForms Cloud Engine
Classification:	Retired
Component:	aeolus-conductor
Sub Component:
Version:	1.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta5
Assignee:	Scott Seago
QA Contact:	pushpesh sharma
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-15 09:48 UTC by Shveta
Modified:	2014-08-04 22:30 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-05-15 22:37:02 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2012:0583	0	normal	SHIPPED_LIVE	new packages: aeolus-conductor	2012-05-15 22:31:59 UTC

Description Shveta 2012-02-15 09:48:54 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create a user shveta , granted role of Image Administrator
2. Imported image
3. Revoked the role of "Image Admin" , user is not able to import now , 
but is able to delete the previously imported image.

User is also able to build and push image.

User should not be able to perform any action on image.
  
Actual results:


Expected results:


Additional info:
rpm -qa|grep aeolus
aeolus-conductor-doc-0.8.0-27.el6.noarch
aeolus-conductor-daemons-0.8.0-27.el6.noarch
aeolus-configure-2.5.0-13.el6.noarch
rubygem-aeolus-cli-0.3.0-8.el6.noarch
aeolus-all-0.8.0-27.el6.noarch
aeolus-conductor-0.8.0-27.el6.noarch
rubygem-aeolus-image-0.3.0-7.el6.noarch

Comment 1 Shveta 2012-02-15 09:50:25 UTC

"push all " button is hidden after revoking the role of "Image Admin"
but user can build and push to individual providers, 
then whats the point in hiding "push all" button.

No action on images should be allowed

Comment 2 Scott Seago 2012-02-28 05:44:57 UTC

Ahh, yes this looks like a fairly straightforward bug -- the 'delete' action isn't being filtered on permissions.

Comment 4 Scott Seago 2012-03-09 05:56:18 UTC

Patch on-list: https://fedorahosted.org/pipermail/aeolus-devel/2012-March/009484.html

Comment 5 Scott Seago 2012-03-12 04:36:15 UTC

Pushed to master: 570f0138508af369f41e2950b3aa632d0ea606dd

Comment 7 pushpesh sharma 2012-04-05 05:23:21 UTC

User is not able to import new images,delete images,push,build images after revoking the image admin permissions.
Marking this bug as verified based on the above observation.

Comment 9 errata-xmlrpc 2012-05-15 22:37:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0583.html

Note You need to log in before you can comment on or make changes to this bug.