Red Hat Bugzilla – Bug 970499
any user can add a system to their group
Last modified: 2018-02-05 19:41:31 EST
Description of problem:
Any user can add any system to their group, even if they don't own the system.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Create a new group
2. From the group edit page, add a system which you do not own
Permitted to add the system.
Should only be allowed to add systems which you own. Otherwise it is a loophole through which users can grant themselves extra access to locked-down systems.
On Gerrit: http://gerrit.beaker-project.org/2016
Confirmed that without admin access, I can no longer add arbitrary systems to my groups.
Beaker 0.13.1 has been released.