Project

General

Profile

Bug #18035

Should only be able to add repositories you have access to

Added by Brad Buckingham almost 4 years ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
Roles and Permissions
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1410916

Description of problem:

When using a user with restricted rights I can add repositories
that I should not be allowed to.

Version-Release number of selected component (if applicable):

6.2.2 - 6.2.6

How reproducible:

100%

Steps to Reproduce:
1. The role assigned to the user has the following permission set

  1. hammer u admin -p redhat role filters --id=22
    ----|-------------------------|-----------------------------------------------------------------|------------|---------|--------------------------------------------------------------------------------

    ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
    ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
    167 | Katello::Product | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
    168 | Katello::System | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_content_hosts, edit_content_hosts
    169 | Katello::ContentView | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
    170 | Host | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_hosts, edit_hosts
    171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA" | no | Limited | view_host_collections, edit_host_collections
    172 | JobInvocation | none | yes | Limited | create_job_invocations, view_job_invocations
    173 | Katello::KTEnvironment | name ~ Dev || name ~ QA | no | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
    174 | Katello::ActivationKey | name ~ ak_test | no | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
    176 | Organization | none | yes | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
    ----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------

2. Identify a repo which does not meet the above filter

  1. hammer -u admin -p redhat repository list | grep ^4
    4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

3. Verify the user cannot see it

  1. hammer -u limited -p redhat repository list | grep ^4
    <no output> as this repository doesn't match the search filter

4. Add the repository to the content view

  1. hammer -u limited -p redhat content-view add-repository --repository-id=4 --name Test_A_QA --organization ACME
    The repository has been associated

Actual results:

Step 4 succeeds in adding a repository that doesn't match the search filter

Expected results:

Step 4 should fail since the repository doesn't match the search filter

Additional info:

5. # hammer -u limited -p redhat repository list | grep ^4
4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os

Not only has it been associated, it's now returned in the list of repositories,
again despite it not matching the search filter.


Related issues

Has duplicate Katello - Bug #18838: Managing repositories with their id via hammer does not respect the role filtersDuplicate2017-03-08
Has duplicate Katello - Bug #20409: [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.Duplicate2017-07-25

Associated revisions

Revision 853260e3 (diff)
Added by Justin Sherrill 3 months ago

Fixes #18035 - filter repos for CV with perms

This commit adds permission filtering to associations
within content view create and update. the idea is that
we can easily spread this to other controllers as well

History

#1 Updated by Brad Buckingham almost 4 years ago

  • Subject changed from Should only be able to add repositories you have access to to Should only be able to add repositories you have access to
  • Target version set to 157
  • Legacy Backlogs Release (now unused) set to 114

#2 Updated by Brad Buckingham almost 4 years ago

Need to test this and see if it exists on master. If it does not, ideally locate a duplicate that can be associated with the referenced bugzilla.

#3 Updated by Brad Buckingham almost 4 years ago

  • Status changed from New to Assigned
  • Assignee set to Brad Buckingham

#4 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 157 to 163

#5 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 163 to 160

#6 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 160 to 169

#7 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 169 to 178

#8 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 178 to 181

#9 Updated by Brad Buckingham over 3 years ago

  • Target version changed from 181 to 160

#10 Updated by Brad Buckingham about 3 years ago

  • Assignee changed from Brad Buckingham to Jonathon Turel

#11 Updated by Brad Buckingham about 3 years ago

  • Has duplicate Bug #18838: Managing repositories with their id via hammer does not respect the role filters added

#12 Updated by Brad Buckingham about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 114 to 286

Setting release to Katello 3.4.5, as that was the target for the duplicate issue 18838. If we need to alter/update it later, we can do so; however, I think we should attempt to achieve that same target.

#13 Updated by Brad Buckingham about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 286 to 250

#14 Updated by Brad Buckingham about 3 years ago

  • Has duplicate Bug #20409: [BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also. added

#15 Updated by Justin Sherrill about 3 years ago

  • Legacy Backlogs Release (now unused) changed from 250 to 284

#16 Updated by Bryan Kearney over 2 years ago

  • Bugzilla link changed from 1410916 to 1436932

#17 Updated by John Mitsch over 2 years ago

  • Legacy Backlogs Release (now unused) changed from 284 to 352

#18 Updated by The Foreman Bot 4 months ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/8772 added

#19 Updated by Jonathon Turel 4 months ago

  • Triaged changed from Yes to No
  • Target version changed from Katello 3.6.1 to Katello 3.16.0
  • Assignee changed from Jonathon Turel to Justin Sherrill

#20 Updated by Samir Jha 4 months ago

  • Triaged changed from No to Yes

#21 Updated by The Foreman Bot 3 months ago

  • Fixed in Releases Katello 4.0.0 added

#22 Updated by Justin Sherrill 3 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF