796964 – User with only 'Sync Product' permission can edit repositories and view gpg keys

Bug 796964 - User with only 'Sync Product' permission can edit repositories and view gpg keys

Summary: User with only 'Sync Product' permission can edit repositories and view gpg keys

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	WebUI
Sub Component:
Version:	6.0.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium vote
Target Milestone:	Unspecified
Assignee:	Eric Helms
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:	801908
Blocks:
TreeView+	depends on / blocked

Reported:	2012-02-23 23:11 UTC by Eric Helms
Modified:	2019-09-26 13:31 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-08-22 18:29:10 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Eric Helms 2012-02-23 23:11:38 UTC

Description of problem:
A user who has been granted a role that contains only the 'Sync Product' permission for a particular organization can view GPGKeys and edit repositories.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Create new user 'test_user'
2. Create new role 'sync products only'
3. Create Permission within ACME_Corporation with 'Permission For: Organization' and Verb 'Sync Product'
4. Add user 'test_user' to Role 'sync products only'
5. Logout and login as 'test_user'
  
Actual results:
The user can view all sync management pages in addition they can view GPG Keys and edit repositories under Providers.

Expected results:
Seems like if I only have permission to Sync Products I should not also have the ability to edit the details of a Repository. Further, I shouldn't expect to see GPGKey data.

Additional info:

Comment 2 Mike McCune 2012-03-07 23:43:49 UTC

mass move ON_QA after brewing

Comment 3 Jeff Weiss 2012-03-08 19:29:17 UTC

Fails QA.  Can still view GPG keys and Custom provider pages.  You can no longer edit repos though - that part is fixed.

Comment 4 Jeff Weiss 2012-03-08 19:29:25 UTC

Katello Version: 0.2.8-1.git.11.033f96d.el6

Comment 5 Jeff Weiss 2012-03-08 19:35:54 UTC

Can also view systems with just Sync Product permission.

Comment 6 Eric Helms 2012-03-09 19:01:46 UTC

The ability to view systems comes from setting a default environment and has nothing to do with having the 'Sync Products' permission.  After discussion, it was decided being able to see GPG Keys with the 'Sync Products' permission is expected behavior given that 'Sync Products' gives you the ability to read provider information (i.e. Products, Repos, GPG Keys).

Comment 7 Jeff Weiss 2012-03-09 19:59:32 UTC

See "blocks" field for more general bug that should fix this as well.

Comment 8 Jeff Weiss 2012-03-14 15:29:48 UTC

Closing this bug in favor of the more general one, which will probably be deferred.

Comment 10 Mike McCune 2013-08-16 18:21:43 UTC

getting rid of 6.0.0 version since that doesn't exist

Note You need to log in before you can comment on or make changes to this bug.