Bug #6361

menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default

Added by Dominic Cleal almost 4 years ago. Updated over 3 years ago.

Status:Closed
Priority:Normal
Assigned To:Daniel Lobato Garcia
Category:Authentication
Target version:Sprint 26
Difficulty: Bugzilla link:1112750
Found in release: Pull request:https://github.com/theforeman/foreman/pull/1549
Story points-
Velocity based estimate-
Release1.6.0Release relationshipAuto

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1112750
++ This bug was initially created as a clone of Bug #1112182 ++

Description of problem:
I created a simple user in "Any context" mode and did not assign any location, org and roles. But following menus are visible to that user.

Ideally user shouldn't be allowed to have access to any of menu items without any permission. Hosts menu shows "All Hosts" and user can see the created hosts.

Version-Release number of selected component (if applicable):
sat6 beta snap10 compose2

How reproducible:
always

Steps to Reproduce:
1. Login with admin user
2. create a user in "Any context" and do not assign location and org
3. logout with admin user and login with newly created user

Actual results:
User can see Hosts --> All hosts

Expected results:
user shouldn't be allowed to have access to any of menu items without any permission

Additional info:


Related issues

Related to Foreman - Refactor #994: The Role default_user is misleading Rejected 06/17/2011
Related to Foreman - Bug #5672: Host group filter bypassed due to unlimited view_hosts fi... Rejected 05/12/2014
Related to Foreman - Bug #6926: New user with just anonymous role will get 403 Forbidden ... Duplicate 08/05/2014
Related to Foreman - Bug #1632: On login with minimal permissions, user is always taken t... New 05/18/2012
Duplicates Foreman - Bug #4641: Deleting user with associated roles triggers PG::NotNullV... Closed 03/12/2014

History

#1 Updated by Dominic Cleal almost 4 years ago

  • Category set to Authentication

Not really "any permission", but all users automatically get the "Anonymous" role added. By default the anonymous role (a terrible name in itself, see #994) grants an unlimited view_hosts permission. This confuses a lot of people and should be removed by default IMHO.

#2 Updated by Dominic Cleal almost 4 years ago

  • Related to Refactor #994: The Role default_user is misleading added

#3 Updated by Dominic Cleal almost 4 years ago

  • Subject changed from menu item "Hosts --> All hosts" is visible to normal user without any permission to menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default

#4 Updated by Daniel Lobato Garcia almost 4 years ago

  • Assigned To set to Daniel Lobato Garcia

#5 Updated by Dominic Cleal almost 4 years ago

  • Status changed from New to Assigned
  • Target version set to Sprint 25

#6 Updated by Daniel Lobato Garcia almost 4 years ago

  • Status changed from Assigned to Ready For Testing

#7 Updated by Dominic Cleal almost 4 years ago

  • Related to Bug #5672: Host group filter bypassed due to unlimited view_hosts filter on anonymous role added

#8 Updated by Dmitri Dolguikh almost 4 years ago

  • Target version changed from Sprint 25 to Sprint 26

#9 Updated by The Foreman Bot over 3 years ago

  • Pull request https://github.com/theforeman/foreman/pull/1549 added

#10 Updated by Dominic Cleal over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
  • Release set to 1.6.0

Fixed via #4641.

#11 Updated by Dominic Cleal over 3 years ago

  • Duplicates Bug #4641: Deleting user with associated roles triggers PG::NotNullViolation added

#12 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #6926: New user with just anonymous role will get 403 Forbidden upon logon to / (redirected to /hosts) added

#13 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #1632: On login with minimal permissions, user is always taken to host page added

Also available in: Atom PDF