Project

General

Custom queries

Profile

Actions
Copy link

Bug #20112

open

API prevents users from reading their own details when they don't have view permissions

Added by Tomáš Strachota almost 8 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

API prevents users from reading their own details when they don't have view permissions, which they don't by default.
UI normally allows users to view their profile.

Reproducible with hammer:

# Use admin account to create a user with default set of permissions
> hammer user create --login test --password changeme --auth-source-id 1 --mail test@test.org
> hammer -u admin user info --login test
Id:                    39
Login:                 test
Name:                  Test Test
Email:                 test@test.org
Admin:                 no
Last login:            2017/06/26 21:37:54
Authorized by:         Internal
Effective admin:       no
Locale:                default
Timezone:              
Description:           
Default organization:  
Default location:      
Roles:                 
    Default role
User groups:           

Inherited User groups: 

Organizations:         
    Default Organization
Created at:            2017/06/22 12:22:05
Updated at:            2017/06/26 21:38:19

# Use the just created account to read its own details
> hammer -u test user info --login test
Access denied
Missing one of the required permissions: view_users

Expected results:
Api should allow users to read their own details even without view permissions the same way UI does.

Actions
Copy link
 #1

Updated by Tomer Brisker over 4 years ago

  • Category changed from 218 to Users, Roles and Permissions
Actions
Copy link

Also available in: Atom PDF