Plugins » Katello

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1410916

Description of problem:

When using a user with restricted rights I can add repositories
that I should not be allowed to.

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

1. hammer u admin -p redhat role filters --id=22
   ---|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
   ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
   ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
   167 | Katello::Product | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
   168 | Katello::System | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_content_hosts, edit_content_hosts
   169 | Katello::ContentView | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
   170 | Host | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_hosts, edit_hosts
   171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA" | no | Limited | view_host_collections, edit_host_collections
   172 | JobInvocation | none | yes | Limited | create_job_invocations, view_job_invocations
   173 | Katello::KTEnvironment | name ~ Dev || name ~ QA | no | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
   174 | Katello::ActivationKey | name ~ ak_test | no | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
   176 | Organization | none | yes | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
   ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Identify a repo which does not meet the above filter

1. hammer -u admin -p redhat repository list | grep ^4
   4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

3. Verify the user cannot see it

1. hammer -u limited -p redhat repository list | grep ^4
   <no output> as this repository doesn't match the search filter

4. Add the repository to the content view

1. hammer -u limited -p redhat content-view add-repository --repository-id=4 --name Test_A_QA --organization ACME
   The repository has been associated

Actual results:

Step 4 succeeds in adding a repository that doesn't match the search filter

Expected results:

Step 4 should fail since the repository doesn't match the search filter

Additional info:

5. # hammer -u limited -p redhat repository list | grep ^4
4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

Not only has it been associated, it's now returned in the list of repositories,
again despite it not matching the search filter.