Bug #18035
closed
Should only be able to add repositories you have access to
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1410916
Description of problem:
When using a user with restricted rights I can add repositories
that I should not be allowed to.
Version-Release number of selected component (if applicable):
6.2.2 - 6.2.6
How reproducible:
100%
Steps to Reproduce:
1. The role assigned to the user has the following permission set
- hammer
u admin -p redhat role filters --id=22|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
---
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
167 | Katello::Product | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_products, create_products, edit_products, destroy_products, sync_product...
168 | Katello::System | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_content_hosts, edit_content_hosts
169 | Katello::ContentView | name ~ "Test_*" || name ~ "rhel7*" | no | Limited | view_content_views, create_content_views, edit_content_views, destroy_content...
170 | Host | host_collection ~ "Test_*_Dev" || host_collection ~ "Test_*_QA" | no | Limited | view_hosts, edit_hosts
171 | Katello::HostCollection | name ~ "Test_*_Dev" || name ~ "Test_*_QA" | no | Limited | view_host_collections, edit_host_collections
172 | JobInvocation | none | yes | Limited | create_job_invocations, view_job_invocations
173 | Katello::KTEnvironment | name ~ Dev || name ~ QA | no | Limited | view_lifecycle_environments, edit_lifecycle_environments, promote_or_remove_c...
174 | Katello::ActivationKey | name ~ ak_test | no | Limited | view_activation_keys, create_activation_keys, edit_activation_keys, destroy_a...
176 | Organization | none | yes | Limited | view_organizations, assign_organizations, view_subscriptions, attach_subscrip...
----|-------------------------|-----------------------------------------------------------------|------------|---------|---------------------------------------------------------------------------------
2. Identify a repo which does not meet the above filter
- hammer -u admin -p redhat repository list | grep ^4
4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os
3. Verify the user cannot see it
- hammer -u limited -p redhat repository list | grep ^4
<no output> as this repository doesn't match the search filter
4. Add the repository to the content view
- hammer -u limited -p redhat content-view add-repository --repository-id=4 --name Test_A_QA --organization ACME
The repository has been associated
Actual results:
Step 4 succeeds in adding a repository that doesn't match the search filter
Expected results:
Step 4 should fail since the repository doesn't match the search filter
Additional info:
5. # hammer -u limited -p redhat repository list | grep ^4
4 | Red Hat Software Collections RPMs for Red Hat Enterprise Linux 7 Server x86_6... | Red Hat Software Collections for RHEL Server | yum | https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/rhscl/1/os
Not only has it been associated, it's now returned in the list of repositories,
again despite it not matching the search filter.
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by