Hide Forgot
Description of problem: A user who has been granted a role that contains only the 'Sync Product' permission for a particular organization can view GPGKeys and edit repositories. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Create new user 'test_user' 2. Create new role 'sync products only' 3. Create Permission within ACME_Corporation with 'Permission For: Organization' and Verb 'Sync Product' 4. Add user 'test_user' to Role 'sync products only' 5. Logout and login as 'test_user' Actual results: The user can view all sync management pages in addition they can view GPG Keys and edit repositories under Providers. Expected results: Seems like if I only have permission to Sync Products I should not also have the ability to edit the details of a Repository. Further, I shouldn't expect to see GPGKey data. Additional info:
mass move ON_QA after brewing
Fails QA. Can still view GPG keys and Custom provider pages. You can no longer edit repos though - that part is fixed.
Katello Version: 0.2.8-1.git.11.033f96d.el6
Can also view systems with just Sync Product permission.
The ability to view systems comes from setting a default environment and has nothing to do with having the 'Sync Products' permission. After discussion, it was decided being able to see GPG Keys with the 'Sync Products' permission is expected behavior given that 'Sync Products' gives you the ability to read provider information (i.e. Products, Repos, GPG Keys).
See "blocks" field for more general bug that should fix this as well.
Closing this bug in favor of the more general one, which will probably be deferred.
getting rid of 6.0.0 version since that doesn't exist