Bug 917933 - User can delete jobs not owned by itself
Summary: User can delete jobs not owned by itself
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: scheduler
Version: 0.11
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: 0.12
Assignee: Qixiang Wan
QA Contact: Raymond Mancy
URL:
Whiteboard: Misc
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-05 07:05 UTC by Monson Shao
Modified: 2018-02-06 00:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-04-11 04:56:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Monson Shao 2013-03-05 07:05:17 UTC 
Description of problem:
One can delete jobs not owned by itself, via webui or command line.
It's odd that you have not permission to cancel someone's jobs, but you can delete them.
One user's misoperation may involve others, and admin seems not able to recover deleted jobs. (maybe another ticket should be filed?)

Version-Release number of selected component (if applicable):
0.11.3 

Steps to Reproduce:
$ bkr job-delete J:xxxxxx

Actual results:
User can delete anyone's jobs.

Expected results:
User can only delete own jobs.

Additional info:
Comment 1 Qixiang Wan 2013-03-06 05:19:31 UTC 
on gerrit: http://gerrit.beaker-project.org/1787
Comment 3 Raymond Mancy 2013-04-02 12:23:43 UTC 
Verified:
  XML-RPC fault: <class 'bkr.common.bexceptions.BeakerException'>:"You don't have permission to delete job J:113"
Comment 4 Dan Callaghan 2013-04-11 04:56:36 UTC 
Beaker 0.12 has been released.
Note You need to log in before you can comment on or make changes to this bug.