'access_settings' permission should be removed
While creating new repository, the download policy gets loaded successfully but still display message ' You are not authorized to perform this action.' looks like ajax making foreman API call
#3 Updated by Justin Sherrill over 4 years ago
- Project changed from Katello to Foreman
- Subject changed from Non admin user with all permission on products get error message "You are not authorized to perform this action." to User with 'access_settings' permission cannot access /api/v2/settings
- Category set to Users, Roles and Permissions
To clarify, the issue is here:
One would think 'access_settings' would give the user read access to the settings, but it does not seem to.
#4 Updated by Dominic Cleal over 4 years ago
I don't think the access_settings permission should exist, settings should only really be viewed and edited by administrators as they are system-wide and some contain very sensitive data. It would need replacing with separate view/edit permissions if this was to be fixed. Non-admin users should not be expected to have
access_settings, this would be very unusual.
#5 Updated by Justin Sherrill over 4 years ago
- Subject changed from User with 'access_settings' permission cannot access /api/v2/settings to 'access_settings' permission should be removed
I can see arguments either way, but I'm okay keeping them restricted. I'll rename this to remove that permission to reduce confusion.