Bug #18838

Managing repositories with their id via hammer does not respect the role filters

Added by Brad Buckingham 9 months ago. Updated 5 months ago.

Status:Duplicate
Priority:High
Assigned To:Brad Buckingham
Category:Repositories
Target version:Team Brad - Iteration 18
Difficulty: Pull request:
Bugzilla link:1429590
Story points-
Velocity based estimate-
ReleaseKatello 3.4.5Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1429590

Description of problem:
After settings a new role to allow restricted access on a repository with a filter (filter set on the Product Name), the filter is not respected when the actions are done via hammer using the repository id.

How reproducible:
100%

Steps to Reproduce:
1. Have repositories from more than 1 Product, by example:
Red Hat Enterprise Linux Server
Red Hat Satellite
Custom_Product

Optional -> You can also have 2 Organization and only allow 1 of them through the filter:
MyOrg
OtherOrg

2. Create a new role "Custom_bug_role"

3. Create the following 2 filters for that role
Filter 1
Resource type: Organization
Permission: view_organizations
Search filter: name = "MyOrg"

Filter 2
Resource type: Product and Repositories
Permission: view_products, edit_products, sync_products
Search filter: name = "Red Hat Enterprise Linux Server"

4. Create a test user and assign the custom role
Username: Test_bug_user
Role: Custom_bug_role

5. With hammer, list the repository using the test user credentials
A. Listing the repositories works as expected, only "Red Hat Enterprise Linux Server" repositories will be displayed: # hammer -u Test_bug_user -p testbug repository list --organization MyOrg
[...]
33 | Red Hat Enterprise Linux 7 Server Kickstart x86_64 7.1 | Red Hat Enterprise Linux Server | yum
27 | Red Hat Enterprise Linux 7 Server - Extras RPMs x86_64 | Red Hat Enterprise Linux Server | yum
[...]

B. Showing repository information using it's ID allows the user to see any repository (from any Product or any Organisation), this is not expected:
   # hammer -u Test_bug_user -p testbug repository info --id 62
ID: 62
Name: Custom_Repo
Label: Custom_Repo
Organization: OtherOrg
Red Hat Repository: no
Content Type: yum
[...]
C. Uploading a package to a any repository is also possible using its ID (from any Product or any Organisation), this is not expected:
   # hammer -u Test_bug_user -p testbug repository upload-content --id 62 --path test.rpm 
Successfully uploaded file 'test.rpm'.

It seems like when we specify --product --name --organization, the permission are applied correctly. However, it looks like using their id bypass this.

Actual results:
When using repository id, we can show info from any repository and upload new package to them.

Expected results:
Have the role filters applied on the resource whether we are using the name or the id


Related issues

Duplicates Katello - Bug #18035: Should only be able to add repositories you have access to Assigned 01/11/2017

History

#1 Updated by Brad Buckingham 9 months ago

  • Subject changed from Managing repositories with their id via hammer does not respect the role filters to Managing repositories with their id via hammer does not respect the role filters
  • Priority changed from Urgent to High
  • Target version set to Team Brad - Iteration 11
  • Release set to Katello 3.4.0

#2 Updated by The Foreman Bot 9 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6659 added

#3 Updated by Brad Buckingham 9 months ago

  • Target version changed from Team Brad - Iteration 11 to Team Brad - Iteration 12

#4 Updated by Justin Sherrill 9 months ago

  • Release changed from Katello 3.4.0 to Katello 3.4.1

#5 Updated by Brad Buckingham 9 months ago

  • Target version changed from Team Brad - Iteration 12 to Team Brad - Iteration 13

#6 Updated by Brad Buckingham 8 months ago

  • Target version changed from Team Brad - Iteration 13 to Team Brad - Iteration 14

#7 Updated by Brad Buckingham 7 months ago

  • Target version changed from Team Brad - Iteration 14 to Team Brad - Iteration 15

#8 Updated by Justin Sherrill 7 months ago

  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/Katello/katello/pull/6659)

#9 Updated by Justin Sherrill 7 months ago

  • Release changed from Katello 3.4.1 to Katello 3.4.2

#10 Updated by Brad Buckingham 6 months ago

  • Target version changed from Team Brad - Iteration 15 to Team Brad - Iteration 16

#11 Updated by Justin Sherrill 6 months ago

  • Release changed from Katello 3.4.2 to Katello 3.4.3

#12 Updated by Brad Buckingham 5 months ago

  • Target version changed from Team Brad - Iteration 16 to Team Brad - Iteration 17

#13 Updated by Justin Sherrill 5 months ago

  • Release changed from Katello 3.4.3 to Katello 3.4.4

#14 Updated by Brad Buckingham 5 months ago

  • Target version changed from Team Brad - Iteration 17 to Team Brad - Iteration 18

#15 Updated by Eric Helms 5 months ago

  • Release changed from Katello 3.4.4 to Katello 3.4.5

#16 Updated by Brad Buckingham 5 months ago

  • Duplicates Bug #18035: Should only be able to add repositories you have access to added

#17 Updated by Brad Buckingham 5 months ago

  • Status changed from New to Duplicate

Also available in: Atom PDF