796437 – Users with super user role cannot view other users

Bug 796437 - Users with super user role cannot view other users

Summary: Users with super user role cannot view other users

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RHQ Project
Classification:	Other
Component:	Core Server
Sub Component:
Version:	4.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	RHQ 4.3.0
Assignee:	RHQ Project Maintainer
QA Contact:	Mike Foley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	jon310-sprint11, rhq44-sprint11 786159
TreeView+	depends on / blocked

Reported:	2012-02-22 21:35 UTC by John Sanda
Modified:	2013-08-31 10:15 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-31 10:15:45 UTC
Embargoed:

Attachments	(Terms of Use)

Description John Sanda 2012-02-22 21:35:01 UTC

Description of problem:
As a user in the super user role, e.g., rhqadmin, I cannot view other users in the users view. I came across this in master.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Log in as rhqadmin (or another user in the super user role).
2. Create a new user, and do not assign the user to the super user role.
3. After the user is created you are sent to the users view, but you will not see the user even if you click the refresh button in the footer.
  
Actual results:

Expected results:


Additional info:
I assigned the new user to a new role, and when I (as rhqadmin) go to view that role and click on the users tab, I do see the user listed. I can log in as the new user as well. The new user can the see the list of users as expected. This problem appears to be specific to users in the super user role.

Comment 1 John Sanda 2012-02-23 02:44:41 UTC

It appears that this may be related to bug 786159. CCing Ian Springer so he can take a look at this.

Comment 2 Ian Springer 2012-02-23 22:48:32 UTC

Fixed in master:

http://git.fedorahosted.org/git/?p=rhq/rhq.git;a=commitdiff;h=ffad3bb

We now make sure superusers, or users w/ MANAGE_SECURITY, can view other users, even if they don't have VIEW_USERS.

Comment 3 Ian Springer 2012-02-27 17:44:44 UTC

QA Steps
========
1) Verify that rhqadmin can view all other users.
2) Verify that another user added to the Superuser role can view all users.
3) Create a role that has MANAGE_SECURITY, but does *not* have VIEW_USERS. Add a user to that role. Verify that user can view all other users.
4) Create a role that has VIEW_USERS, but does *not* have MANAGE_SECURITY. Add a user to that role. Verify that user can view all other users.
5) Create a role with no permissions. Add a user to that role. Verify that user can *not* view any other users.
6) Create a user with no roles. Verify that user can *not* view any other users.

Comment 4 Jeeva Kandasamy 2012-04-25 12:34:14 UTC

Verified on the Build:
Version: 4.4.0-SNAPSHOT
Build Number: 5ffafd2
GWT Version: 2.4.0
SmartGWT Version: 3.0

OS: RHEL 6.1 X86_64
Browser: Firefox ESR 10.0.3

Followed the steps on Comment 3. Unable to execute the step #3, because "View Users permission cannot be deselected, unless the Manage Security permission, which implies all other permissions, is deselected first."

Comment 5 Heiko W. Rupp 2013-08-31 10:15:45 UTC

Bulk close of old bugs in VERIFIED state.

Note You need to log in before you can comment on or make changes to this bug.