Description of problem: When user without remove system permissions calls CLI command "system remove_deletion", it finishes successfully without any warning. Version-Release number of selected component (if applicable): katello-glue-candlepin-1.3.3-1.git.9.9377ddb.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-repos-1.3.2-1.el6.noarch katello-configure-1.3.3-1.git.5.0f1d8f6.el6.noarch katello-glue-foreman-1.3.3-1.git.9.9377ddb.el6.noarch katello-agent-1.1.3-1.el6.noarch katello-selinux-1.3.1-1.el6.noarch katello-1.3.3-1.git.9.9377ddb.el6.noarch katello-qpid-client-key-pair-1.0-1.noarch katello-cli-1.3.3-1.el6.noarch katello-certs-tools-1.1.9-1.el6.noarch katello-common-1.3.3-1.git.9.9377ddb.el6.noarch katello-glue-pulp-1.3.3-1.git.9.9377ddb.el6.noarch katello-qpid-broker-key-pair-1.0-1.noarch katello-cli-common-1.3.3-1.el6.noarch How reproducible: always Steps to Reproduce: 1.Register a new system. 2.Create a user without rights to remove system (org or global). 3.From UI delete that system by admin user. 4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug. Actual results: System is removed when user has not permissions to remove it. Expected results: Error message should be thrown indicating that current user has not permission to call that command.
Ok, this is the test we do in Katello: when :api_proxy_consumer_deletionrecord_delete_path if !User.consumer? consumer_gone, consumer_live = false begin Resources::Candlepin::Consumer.get params[:id] # check with candlepin if system is Gone, raises RestClient::Gone # a 200 means the system exists. the deletion record wont exist, but its # not a permissions error consumer_live = true rescue RestClient::Gone # the correct response is a 410, since the system has been deleted consumer_gone = true end end User.consumer? || consumer_gone || consumer_live Obviously we pass non-consumer users which is a security issue (consumer_live is true). @Jordan - can you please guide me what was the idea behind consumer_live variable?
This code was modified to allow non-consumer access to the deletion record; IE letting a user directly remove a system's deletion record the consumer_live means the system is currently active; consumer_gone means the system has been deleted (and thus should have a deletion record) I think the issue is that if the user is NOT a consumer, we need to perform an additional check 1. load katello system object based on candlepin id, 2. ensure "system.editable?" for that system Something like: User.consumer? || (system.editable? && (consumer_gone || consumer_live))
Nice catch! Fixed: https://github.com/Katello/katello/pull/1449 [root@bb ~]# katello --user nobody --pass nobody system remove_deletion --uuid d6e48043-46f1-4ee1-9eab-b4923a92a55b User nobody is not allowed to access api/candlepin_proxies/delete
Now for katello latest build when "admin" calls that command it says: "User admin is not allowed to access api/candlepin_proxies/delete". Should not "Admin" user still have access to call "system remove_deletion"?
Tested on revision: katello-qpid-broker-key-pair-1.0-1.noarch katello-all-1.4.1-1.git.9.ff9a101.el6.noarch katello-repos-1.4.1-1.el6.noarch katello-certs-tools-1.4.1-1.el6.noarch katello-configure-1.4.1-1.el6.noarch katello-glue-candlepin-1.4.1-1.git.9.ff9a101.el6.noarch katello-candlepin-cert-key-pair-1.0-1.noarch katello-cli-1.4.1-1.el6.noarch katello-selinux-1.4.1-1.el6.noarch katello-glue-pulp-1.4.1-1.git.9.ff9a101.el6.noarch katello-agent-1.4.1-1.el6.noarch katello-glue-elasticsearch-1.4.1-1.git.9.ff9a101.el6.noarch katello-1.4.1-1.git.9.ff9a101.el6.noarch katello-cli-common-1.4.1-1.el6.noarch katello-common-1.4.1-1.git.9.ff9a101.el6.noarch katello-qpid-client-key-pair-1.0-1.noarch The main bug still exists: 1.Register a new system. 2.Create a user without rights to remove system (org or global). 3.Unregister that system. 4.In CLI, call "system remove_deletion" command by newly created user. You will see that no error message is shown and system is removed, which is bug.
https://github.com/Katello/katello/pull/2695
CLosing of duplicate of the tool generated tracking bugs (will create less problems then trying to convert this bug to a tracker). *** This bug has been marked as a duplicate of bug 991634 ***