Project

General

Profile

Actions

Bug #20409

closed

[BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.

Added by Jonathon Turel over 6 years ago. Updated over 5 years ago.

Status:
Duplicate
Priority:
Normal
Category:
Repositories
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1467291

Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none | yes | prodview | view_products
178 | Katello::Product | name = puppet-prod | no | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.


Related issues 1 (0 open1 closed)

Is duplicate of Katello - Bug #18035: Should only be able to add repositories you have access toClosedJustin SherrillActions
Actions #1

Updated by The Foreman Bot over 6 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6886 added
Actions #2

Updated by Justin Sherrill over 6 years ago

  • Assignee set to Jonathon Turel
  • Target version set to 205
  • translation missing: en.field_release set to 286
Actions #3

Updated by Brad Buckingham over 6 years ago

  • Target version changed from 205 to 208
Actions #4

Updated by Jonathon Turel over 6 years ago

  • Status changed from Ready For Testing to Assigned
Actions #5

Updated by Brad Buckingham over 6 years ago

  • Status changed from Assigned to Duplicate
Actions #6

Updated by Brad Buckingham over 6 years ago

Marking as a duplicate based upon the downstream bugzilla being closed as a duplicate.

Actions #7

Updated by Brad Buckingham over 6 years ago

  • Is duplicate of Bug #18035: Should only be able to add repositories you have access to added
Actions

Also available in: Atom PDF