Bug #20409
closed
[BUG] User with role containing "edit_products" filter on a specific product can remove content from other product's repositories also.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1467291
Description of problem:
When a Satellite user role is created with edit_products permission on a specific product, it allows the user who is assigned this role to remove the content from other products on which only view_products filter is assigned. The user should only be allowed to remove the content from a product repository only if he has rights to edit_product.
Version-Release number of selected component (if applicable):
Red Hat Satellite 6.2.10
How reproducible:
Every time.
Steps to Reproduce:
1. Create a new user.
2. Create a role with below filters and assign it to the user create above. This will allow the user to only edit the product "puppet-prod" and will only allow to view the rest products
hammer> role filters --id 22
----|------------------|---------------------|------------|----------|--------------
ID | RESOURCE TYPE | SEARCH | UNLIMITED? | ROLE | PERMISSIONS
----|------------------|---------------------|------------|----------|--------------
177 | Katello::Product | none | yes | prodview | view_products
178 | Katello::Product | name = puppet-prod | no | prodview | edit_products
----|------------------|---------------------|------------|----------|--------------
3. After this try to remove the yum package from the repository in the product where user has only view rights.
hammer> repository remove-content --name katello-agent --content-ids 11403 --organization-id 1
Repository content removed
Actual results:
The user is allowed to remove the content from the product repositories even when it has view only access.
Expected results:
The user should not be allowed to remove the content from the product repositories where it has view only access.
Updated by 
Updated by 
Updated by 
Updated by