Unable to change the default Satellite username "admin-username"
Description of problem:
-After initial setup I attempted to change the default user
name and password from "admin-username" and "admin-password"
-From the GUI I can change the username and password but as soon as I hit submit the username returns to "admin-username"
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. After new install of RedHat Satellite 6.2.11 using the installer with --foreman-admin-username gk-admin attempt to change username
2. Hit Submit when username and password changed
3. The username returns to the old "admin-username"
Expected the username to update to the new name.
Logging out and logging back in does not matter.
The problem is that installer allows user to modify the default admin username while in UI it's not properly detected as default admin and the username field is not disabled. The reason is we hardcode 'admin' login in app/views/users/_form.html.erb
<%= text_f f, :login, :disabled => f.object.login == 'admin' %>
#1 Updated by Marek Hulán about 3 years ago
- Difficulty set to easy
- Category set to 218
- Subject changed from Unable to change the default Satellite username "admin-username" to Unable to change the default Satellite username "admin-username"
There's more in this issue. The reason why it does not work is that strong params drops login parameter if user is editing himself/herself, see https://github.com/theforeman/foreman/blob/3703af267f316676ce571a0ca00563c8c3565168/app/controllers/concerns/foreman/controller/parameters/user.rb#L27-L33
The second part is that we disable the login field for users with login == 'admin', see https://github.com/theforeman/foreman/blob/3703af267f316676ce571a0ca00563c8c3565168/app/views/users/_form.html.erb#L24 that does not make sense since we can have more than one admin.
Changing the login should be supported including user themselves in case the auth source is INTERNAL. For external auth sources this would be dangerous. After discussion with Evgeni and Ewoud, we came to conclusion that updating login and other sensitive fields (auth source) should be only allowed to user with edit_users permission, while self editing of other attributes (e.g. email) should be allowed to everyone.
So the properly fix this issue, following is required:
1) keep fields disabled only while self editing and current user does not have edit_users permission, the disabled field should have a hover tooltip explaining why the field is disabled
2) update strong params to follow the same logic, accepting login and auth source fields only for users with edit_users permission