Bug #16807

test mail button requires excessive priviledges

Added by Steve Traylen about 1 year ago. Updated 3 months ago.

Status:Closed
Priority:Normal
Assigned To:Amir Fefer
Category:E-Mail
Target version:-
Difficulty: Bugzilla link:
Found in release:1.11.2 Pull request:https://github.com/theforeman/foreman/pull/4595
Story points-
Velocity based estimate-
Release1.15.2Release relationshipAuto

Description

When trying the the test mail button I believe I run into a missing ACL?

016-10-05 13:40:44 [app] [I] Started PUT "/users/5-straylen/test_mail" for 188.184.65.139 at 2016-10-05 13:40:44 +0200
2016-10-05 13:40:44 [app] [I] Processing by UsersController#test_mail as */*
2016-10-05 13:40:44 [app] [I] Parameters: {"user_email"=>"", "id"=>"5-straylen"}
2016-10-05 13:40:44 [app] [I] Rendered common/403.html.erb (1.4ms)
2016-10-05 13:40:44 [app] [I] Filter chain halted as :authorize rendered or redirected

the button works as admin.

Comment from IRC:

The button requires that the user has either create or edit_users, which is clearly unnecessary.


Related issues

Duplicated by Foreman - Bug #20410: Getting 403 forbidden error while setting the email prefe... Duplicate 07/26/2017

Associated revisions

Revision 25236783
Added by Amir Fefer 4 months ago

Fixes #16807 - remove premission edit_users for test_mail

Revision 8fdca8b8
Added by Amir Fefer 4 months ago

Fixes #16807 - remove premission edit_users for test_mail

(cherry picked from commit 25236783e8c59028e78652e15106d9c1e7ef6778)

History

#1 Updated by The Foreman Bot 4 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4595 added

#2 Updated by Ohad Levy 4 months ago

  • Release set to 1.16.0

#3 Updated by Amir Fefer 4 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Daniel Lobato Garcia 4 months ago

  • Release changed from 1.16.0 to 1.15.2

#5 Updated by Daniel Lobato Garcia 3 months ago

  • Duplicated by Bug #20410: Getting 403 forbidden error while setting the email preference or sending the test email with a normal user with viewer access added

#6 Updated by Tomer Brisker 3 months ago

  • Assigned To changed from Steve Traylen to Amir Fefer

Also available in: Atom PDF