Bug #16807

test mail button requires excessive priviledges

Added by Steve Traylen 11 months ago. Updated 28 days ago.

Assigned To:Amir Fefer
Target version:-
Difficulty: Bugzilla link:
Found in release:1.11.2 Pull request:https://github.com/theforeman/foreman/pull/4595
Story points-
Velocity based estimate-
Release1.15.2Release relationshipAuto


When trying the the test mail button I believe I run into a missing ACL?

016-10-05 13:40:44 [app] [I] Started PUT "/users/5-straylen/test_mail" for at 2016-10-05 13:40:44 +0200
2016-10-05 13:40:44 [app] [I] Processing by UsersController#test_mail as */*
2016-10-05 13:40:44 [app] [I] Parameters: {"user_email"=>"", "id"=>"5-straylen"}
2016-10-05 13:40:44 [app] [I] Rendered common/403.html.erb (1.4ms)
2016-10-05 13:40:44 [app] [I] Filter chain halted as :authorize rendered or redirected

the button works as admin.

Comment from IRC:

The button requires that the user has either create or edit_users, which is clearly unnecessary.

Related issues

Duplicated by Foreman - Bug #20410: Getting 403 forbidden error while setting the email prefe... Duplicate 07/26/2017

Associated revisions

Revision 25236783
Added by Amir Fefer 2 months ago

Fixes #16807 - remove premission edit_users for test_mail


#1 Updated by The Foreman Bot 2 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4595 added

#2 Updated by Ohad Levy 2 months ago

  • Release set to 1.16.0

#3 Updated by Amir Fefer 2 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#4 Updated by Daniel Lobato Garcia 2 months ago

  • Release changed from 1.16.0 to 1.15.2

#5 Updated by Daniel Lobato Garcia 29 days ago

  • Duplicated by Bug #20410: Getting 403 forbidden error while setting the email preference or sending the test email with a normal user with viewer access added

#6 Updated by Tomer Brisker 28 days ago

  • Assigned To changed from Steve Traylen to Amir Fefer

Also available in: Atom PDF