Bug 873302 - Environments do not populate when adding a new user without full admin
Environments do not populate when adding a new user without full admin
Product: Subscription Asset Manager
Classification: Red Hat
Component: katello (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Adam Price
Katello QA List
: Triaged
Depends On:
Blocks: sam13-tracker 874583
  Show dependency treegraph
Reported: 2012-11-05 09:20 EST by Jason Montleon
Modified: 2013-10-01 06:52 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 874583 (view as bug list)
Last Closed: 2013-10-01 06:52:41 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Montleon 2012-11-05 09:20:33 EST
Description of problem:
If I give a user all User related roles in Global Permissions (Read Users, Administer Users, Modify Users, and Delete Useres), people assigned this role can start to create a new user, but when they choose an Org the list of environments never populate.

Adding the Read Organizations and Read Environment Contents Global Roles does not help. In addition adding full permission to the Org for which they were intended to administer users in does not help either.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create a new role with all global permissions related to users
2. Assign the role to a user
3. Login as the user with the new role and attempt to create a new role
Actual results:
Environments never populate

Expected results:
Environments should populate

Additional info:
It seems to only work if I assign full administrative privileges.
Comment 1 Jason Montleon 2012-11-05 09:21:12 EST
"3. Login as the user with the new role and attempt to create a new role"

should read:

"3. Login as the user with the new role and attempt to create a new user"
Comment 3 Adam Price 2012-11-06 12:28:16 EST
if the creating user doesn't have organization-viewing permissions, then i think he/she shouldn't be able to see the list of organizations. So effectively (with only User permissions) the creating user should only be able to create Users, but not assign Organizations and Environments.
Comment 4 Jason Montleon 2012-11-06 13:20:43 EST
The two problems with that.

The first is that it happens when you give the person full access to an Org and all user rights they still can't get the list of environments. 

For instance, I created an account for myself 'jmontleo' who has the 'SOC Administrator' Role which grants full access to the SOC Organization. In addition I have granted my account the 'User Management Role' which includes Global Permissions for Users, with the verbs Read Users, Administer Users, Delete Users, Modify Users on +All.

The second is that if you try to save a user without assigning an environment you get the following error and the user does not get saved (even though there are four environments (Dev, QA, Stage, and Prod) in the Org:

No environments are currently available in this organization. Please either add some to the organization or select an organization that has an environment to set user default. (RuntimeError)

Click here for more details.
Comment 5 Tom McKay 2012-11-06 13:59:43 EST
You wouldn't get that error about an org not having environments if you weren't able to select the org in the first place.

The suggestion is that if you don't have environment access, put a nice message on that page indicating that without the proper permissions, a default system environment is not settable.
Comment 6 Jason Montleon 2012-11-06 15:14:38 EST
But why wouldn't I be able to select the Org or see the environments if my account has full access to the Org.
Comment 7 Adam Price 2012-11-06 15:41:01 EST
@Jason, the permission check was messed up to start with. That's why it wasn't working even if you had correct org and env viewing permissions.
Comment 9 Bryan Kearney 2013-06-07 14:19:36 EDT
Moving all POST bugs to ON_QA since we have delivered a puddle with the bugs.
Comment 10 sthirugn@redhat.com 2013-08-11 22:57:57 EDT

1. Create a new role with all global permissions related to users
2. Assign the role to a user
3. Login as the user with the new role and attempt to create a new user

Packages tested:
* candlepin-0.8.19-1.el6sam.noarch
* candlepin-scl-1-5.el6_4.noarch
* candlepin-scl-quartz-2.1.5-5.el6_4.noarch
* candlepin-scl-rhino-1.7R3-1.el6_4.noarch
* candlepin-scl-runtime-1-5.el6_4.noarch
* candlepin-selinux-0.8.19-1.el6sam.noarch
* candlepin-tomcat6-0.8.19-1.el6sam.noarch
* elasticsearch-0.19.9-8.el6sat.noarch
* katello-candlepin-cert-key-pair-1.0-1.noarch
* katello-certs-tools-1.4.2-2.el6sat.noarch
* katello-cli-1.4.3-5.el6sat.noarch
* katello-cli-common-1.4.3-5.el6sat.noarch
* katello-common-1.4.3-6.el6sam_splice.noarch
* katello-configure-1.4.4-2.el6sat.noarch
* katello-glue-candlepin-1.4.3-6.el6sam_splice.noarch
* katello-glue-elasticsearch-1.4.3-6.el6sam_splice.noarch
* katello-headpin-1.4.3-6.el6sam_splice.noarch
* katello-headpin-all-1.4.3-6.el6sam_splice.noarch
* katello-selinux-1.4.4-2.el6sat.noarch
* thumbslug-0.0.32-1.el6sam.noarch
* thumbslug-selinux-0.0.32-1.el6sam.noarch
Comment 12 errata-xmlrpc 2013-10-01 06:52:41 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.