Bug 917933 - User can delete jobs not owned by itself
Summary: User can delete jobs not owned by itself
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Community
Component: scheduler
Version: 0.11
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: 0.12
Assignee: Qixiang Wan
QA Contact: Raymond Mancy
URL:
Whiteboard: Misc
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-05 07:05 UTC by Monson Shao
Modified: 2018-02-06 00:41 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-04-11 04:56:36 UTC


Attachments (Terms of Use)

Description Monson Shao 2013-03-05 07:05:17 UTC
Description of problem:
One can delete jobs not owned by itself, via webui or command line.
It's odd that you have not permission to cancel someone's jobs, but you can delete them.
One user's misoperation may involve others, and admin seems not able to recover deleted jobs. (maybe another ticket should be filed?)

Version-Release number of selected component (if applicable):
0.11.3 

Steps to Reproduce:
$ bkr job-delete J:xxxxxx

Actual results:
User can delete anyone's jobs.

Expected results:
User can only delete own jobs.

Additional info:

Comment 1 Qixiang Wan 2013-03-06 05:19:31 UTC
on gerrit: http://gerrit.beaker-project.org/1787

Comment 3 Raymond Mancy 2013-04-02 12:23:43 UTC
Verified:
  XML-RPC fault: <class 'bkr.common.bexceptions.BeakerException'>:"You don't have permission to delete job J:113"

Comment 4 Dan Callaghan 2013-04-11 04:56:36 UTC
Beaker 0.12 has been released.


Note You need to log in before you can comment on or make changes to this bug.