Project

General

Profile

Bug #20409

[BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.

Added by Jonathon Turel almost 5 years ago. Updated almost 4 years ago.

Status:
Duplicate
Priority:
Normal
Category:
Repositories
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1467291

Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none | yes | prodview | view_products
178 | Katello::Product | name = puppet-prod | no | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.


Related issues

Is duplicate of Katello - Bug #18035: Should only be able to add repositories you have access toClosed

History

#1 Updated by The Foreman Bot almost 5 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/6886 added

#2 Updated by Justin Sherrill almost 5 years ago

  • Assignee set to Jonathon Turel
  • Target version set to 205
  • Legacy Backlogs Release (now unused) set to 286

#3 Updated by Brad Buckingham almost 5 years ago

  • Target version changed from 205 to 208

#4 Updated by Jonathon Turel almost 5 years ago

  • Status changed from Ready For Testing to Assigned

#5 Updated by Brad Buckingham over 4 years ago

  • Status changed from Assigned to Duplicate

#6 Updated by Brad Buckingham over 4 years ago

Marking as a duplicate based upon the downstream bugzilla being closed as a duplicate.

#7 Updated by Brad Buckingham over 4 years ago

  • Is duplicate of Bug #18035: Should only be able to add repositories you have access to added

Also available in: Atom PDF