Project

General

Profile

Bug #16687

'access_settings' permission should be removed

Added by Ranjan Kumar over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:

Description

While creating new repository, the download policy gets loaded successfully but still display message ' You are not authorized to perform this action.' looks like ajax making foreman API call

"/api/v2/settings?search=name+%3D+default_download_policy"


Related issues

Related to Katello - Bug #16505: Unable to create a repository as non-admin user Closed2016-09-10

History

#1 Updated by Ranjan Kumar over 4 years ago

  • Related to Bug #16505: Unable to create a repository as non-admin user added

#2 Updated by Dominic Cleal over 4 years ago

  • Project changed from Foreman to Katello

The API mentioned is a Foreman API, but this describes a Katello issue, so moving. If there's an issue with the API, please show it in more detail with logs/reproducer etc.

#3 Updated by Justin Sherrill over 4 years ago

  • Project changed from Katello to Foreman
  • Subject changed from Non admin user with all permission on products get error message "You are not authorized to perform this action." to User with 'access_settings' permission cannot access /api/v2/settings
  • Category set to Users, Roles and Permissions

To clarify, the issue is here:

https://github.com/theforeman/foreman/blob/develop/app/controllers/settings_controller.rb#L4

One would think 'access_settings' would give the user read access to the settings, but it does not seem to.

#4 Updated by Dominic Cleal over 4 years ago

https://github.com/theforeman/foreman/blob/develop/app/controllers/api/v2/settings_controller.rb#L4 rather, for the API.

I don't think the access_settings permission should exist, settings should only really be viewed and edited by administrators as they are system-wide and some contain very sensitive data. It would need replacing with separate view/edit permissions if this was to be fixed. Non-admin users should not be expected to have access_settings, this would be very unusual.

#5 Updated by Justin Sherrill over 4 years ago

  • Subject changed from User with 'access_settings' permission cannot access /api/v2/settings to 'access_settings' permission should be removed

I can see arguments either way, but I'm okay keeping them restricted. I'll rename this to remove that permission to reduce confusion.

Also available in: Atom PDF