Description of problem: Any user can add any system to their group, even if they don't own the system. Version-Release number of selected component (if applicable): unreleased Steps to Reproduce: 1. Create a new group 2. From the group edit page, add a system which you do not own Actual results: Permitted to add the system. Expected results: Should only be allowed to add systems which you own. Otherwise it is a loophole through which users can grant themselves extra access to locked-down systems.
On Gerrit: http://gerrit.beaker-project.org/2016
Confirmed that without admin access, I can no longer add arbitrary systems to my groups.
Beaker 0.13.1 has been released.