Bug #18035

Should only be able to add repositories you have access to

Added by Brad Buckingham 9 months ago. Updated 19 days ago.

Status:Assigned
Priority:Normal
Assigned To:Jonathon Turel
Category:Roles and Permissions
Target version:Team Brad - Backlog
Difficulty: Pull request:
Bugzilla link:1410916
Story points-
Velocity based estimate-
ReleaseKatello 3.6.0Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1410916

Description of problem:

When using a user with restricted rights I can add repositories
that I should not be allowed to.

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

  1. hammer u admin -p redhat role filters --id=22
    ---
    |-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
    ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
    ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
    167 | Katello::Product | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
    168 | Katello::System | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_content_hosts, edit_content_hosts
    169 | Katello::ContentView | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
    170 | Host | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_hosts, edit_hosts
    171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA" | no | Limited | view_host_collections, edit_host_collections
    172 | JobInvocation | none | yes | Limited | create_job_invocations, view_job_invocations
    173 | Katello::KTEnvironment | name ~ Dev || name ~ QA | no | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
    174 | Katello::ActivationKey | name ~ ak_test | no | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
    176 | Organization | none | yes | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
    ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Identify a repo which does not meet the above filter

  1. hammer -u admin -p redhat repository list | grep ^4
    4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

3. Verify the user cannot see it

  1. hammer -u limited -p redhat repository list | grep ^4
    <no output> as this repository doesn't match the search filter

4. Add the repository to the content view

  1. hammer -u limited -p redhat content-view add-repository --repository-id=4 --name Test_A_QA --organization ACME
    The repository has been associated

Actual results:

Step 4 succeeds in adding a repository that doesn't match the search filter

Expected results:

Step 4 should fail since the repository doesn't match the search filter

Additional info:

5. # hammer -u limited -p redhat repository list | grep ^4
4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

Not only has it been associated, it's now returned in the list of repositories,
again despite it not matching the search filter.


Related issues

Duplicated by Katello - Bug #18838: Managing repositories with their id via hammer does not r... Duplicate 03/08/2017
Duplicated by Katello - Bug #20409: [BUG] User with role containing "edit_products" filter on... Duplicate 07/25/2017

History

#1 Updated by Brad Buckingham 9 months ago

  • Subject changed from Should only be able to add repositories you have access to to Should only be able to add repositories you have access to
  • Target version set to Team Brad - Iteration 9
  • Release set to Katello Backlog

#2 Updated by Brad Buckingham 9 months ago

Need to test this and see if it exists on master. If it does not, ideally locate a duplicate that can be associated with the referenced bugzilla.

#3 Updated by Brad Buckingham 9 months ago

  • Status changed from New to Assigned
  • Assigned To set to Brad Buckingham

#4 Updated by Brad Buckingham 8 months ago

  • Target version changed from Team Brad - Iteration 9 to Team Brad - Iteration 10

#5 Updated by Brad Buckingham 7 months ago

  • Target version changed from Team Brad - Iteration 10 to Team Brad - Backlog

#6 Updated by Brad Buckingham 7 months ago

  • Target version changed from Team Brad - Backlog to Team Brad - Iteration 11

#7 Updated by Brad Buckingham 7 months ago

  • Target version changed from Team Brad - Iteration 11 to Team Brad - Iteration 12

#8 Updated by Brad Buckingham 6 months ago

  • Target version changed from Team Brad - Iteration 12 to Team Brad - Iteration 13

#9 Updated by Brad Buckingham 5 months ago

  • Target version changed from Team Brad - Iteration 13 to Team Brad - Backlog

#10 Updated by Brad Buckingham about 1 month ago

  • Assigned To changed from Brad Buckingham to Jonathon Turel

#11 Updated by Brad Buckingham about 1 month ago

  • Duplicated by Bug #18838: Managing repositories with their id via hammer does not respect the role filters added

#12 Updated by Brad Buckingham about 1 month ago

  • Release changed from Katello Backlog to Katello 3.4.5

Setting release to Katello 3.4.5, as that was the target for the duplicate issue 18838. If we need to alter/update it later, we can do so; however, I think we should attempt to achieve that same target.

#13 Updated by Brad Buckingham about 1 month ago

  • Release changed from Katello 3.4.5 to Katello 3.5.0

#14 Updated by Brad Buckingham 28 days ago

  • Duplicated by Bug #20409: [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also. added

#15 Updated by Justin Sherrill 19 days ago

  • Release changed from Katello 3.5.0 to Katello 3.6.0

Also available in: Atom PDF