796047 – SecurityViolation error while accessing gpg key details with read only user

Bug 796047 - SecurityViolation error while accessing gpg key details with read only user

Summary: SecurityViolation error while accessing gpg key details with read only user

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium vote
Target Milestone:	Unspecified
Assignee:	Partha Aji
QA Contact:	Sachin Ghai
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-22 07:23 UTC by Sachin Ghai
Modified:	2019-09-26 17:45 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	When a read-only user attempted to view a GPG key in the graphical user interface, the body of the key was left blank. This was caused by a security violation error where the code had attempted to grant the user edit instead of read permissions. This is fixed in the current version. Users with read-only permission can now view GPG keys.
Clone Of:
Environment:
Last Closed:	2012-12-04 19:42:17 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Complete error log from production.log (10.12 KB, application/octet-stream) 2012-02-22 07:24 UTC, Sachin Ghai	no flags	Details
no details displayed on UI for gpg_keys using read only user (43.48 KB, image/png) 2012-02-22 07:26 UTC, Sachin Ghai	no flags	Details
can see details of gpg-key using read only user (69.57 KB, image/png) 2012-10-03 08:28 UTC, Sachin Ghai	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:1543	0	normal	SHIPPED_LIVE	Important: CloudForms System Engine 1.1 update	2012-12-05 00:39:57 UTC

Description Sachin Ghai 2012-02-22 07:23:55 UTC

Description of problem:
I was trying to see the created gpgkey details in ACME_Corporation org. However when I click on 'Details' tab of gpg key, following backtrace generated in production.log. Nothing displayed on UI.

--
[ERROR: 2012-02-22 12:47:33 #30885] User reader is not allowed to access gpg_keys/edit
[ERROR: 2012-02-22 12:47:33 #30885] User reader is not allowed to access gpg_keys/edit
[ERROR: 2012-02-22 12:47:33 #30885] #<Errors::SecurityViolation: User reader is not allowed to access gpg_keys/edit>
[ERROR: 2012-02-22 12:47:33 #30885] /usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
[ERROR: 2012-02-22 12:47:33 #30885] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__1167204022__process_action__1026853947__callbacks'
[ERROR: 2012-02-22 12:47:33 #30885] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2755'

----

Version-Release number of selected component (if applicable):
pulp-0.0.265-1.el6.noarch
katello-cli-0.1.54-2.el6.noarch
katello-0.1.238-4.el6.noarch


How reproducible:
always

Steps to Reproduce:
1. Add gpg keys in any org with admin user
2. create a user 'reader' with read only permissions
3. login with reader and check the 'details' of gpg_key
  
Actual results:
nothing displayed on UI, under details and 'Product & repositories' see the attached screenshot.

Long backtrace in production.log
Expected results:
details should be displayed properly without any error in production.log


Additional info:

Comment 1 Sachin Ghai 2012-02-22 07:24:39 UTC

Created attachment 564851 [details]
Complete error log from production.log

Comment 2 Sachin Ghai 2012-02-22 07:26:08 UTC

Created attachment 564852 [details]
no details displayed on UI for gpg_keys using read only user

Comment 4 Pavel Pokorny 2012-09-10 08:00:39 UTC

It was fixed long time ago in f61c2db

I tested it in Katello Version: 1.1.9-1.git.95.0ed1e6f.el6.

Comment 7 Sachin Ghai 2012-10-03 08:27:04 UTC

Verified with following CFSE build:

katello-glue-candlepin-1.1.12-12.el6cf.noarch
katello-qpid-client-key-pair-1.0-1.noarch
katello-all-1.1.12-12.el6cf.noarch
katello-cli-1.1.8-6.el6cf.noarch
katello-certs-tools-1.1.8-1.el6cf.noarch
katello-selinux-1.1.1-1.el6cf.noarch
katello-configure-1.1.9-6.el6cf.noarch
katello-candlepin-cert-key-pair-1.0-1.noarch
katello-cli-common-1.1.8-6.el6cf.noarch
katello-common-1.1.12-12.el6cf.noarch
katello-1.1.12-12.el6cf.noarch
katello-qpid-broker-key-pair-1.0-1.noarch
katello-glue-pulp-1.1.12-12.el6cf.noarch


I can see the created gpg_key details using read only user and no error generated under production.log.

Comment 8 Sachin Ghai 2012-10-03 08:28:06 UTC

Created attachment 620677 [details]
can see details of gpg-key using read only user

Comment 10 errata-xmlrpc 2012-12-04 19:42:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-1543.html

Note You need to log in before you can comment on or make changes to this bug.