Plugins » Katello

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1467291

Description of problem:

When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product.

Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10

How reproducible:
Every time.

Steps to Reproduce:
1. Create a new user.

2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none | yes | prodview | view_products
178 | Katello::Product | name = puppet-prod | no | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------

3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed

Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.

Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.