Bug #25118
closedManage Manifest button is active for user with Viewer role
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1630885
When user with Viewer role accesses Content -> Subscriptions page, "Manage Manifest" button is active and clickable. UI inside popup is available as well, giving impression that user can manage manifest data. Trying to do so will result in error messages "[object Object]".
Version-Release number of selected component (if applicable):
Satellite 6.4.0 snap 22
satellite-6.4.0-14
katello-3.7.0-7
tfm-rubygem-katello-3.7.0.28-1
Steps to Reproduce:
1. Create two organizations. Upload manifest to one of them
2. Create new user with role "Viewer" (or any other role that has "view_subscriptions" in Subscription resource and "view_organizations" in Organization resource). Make sure it can access both organizations
3. Login as that user
4. Open Content -> Subscriptions
5. Notice that "Manage manifest" button is active for both organizations
6. Open organization with manifest and notice that you can try to delete it, refresh it or upload new one
7. Open organization without manifest and notice that you can try to upload manifest
Actual results:
Trying to upload, refresh or delete manifest will cause $HOST/katello/api/v2/organizations/<id>/subscriptions/refresh_manifest and $HOST/katello/api/v2/organizations/<id>/subscriptions/delete_manifest to return 403 HTTP code and error message with unhelpful "[object Object]" to appear in UI (see attached screenshot).
Expected results:
"Manage Manifest" button is not active and not clickable. On hover, message about not sufficient permissions appear.
Updated by Tomáš Strachota about 6 years ago
- Priority changed from High to Normal
Updated by Jonathon Turel about 6 years ago
- Target version set to Katello 3.10.0
- Triaged changed from No to Yes
Updated by Christine Fouant almost 6 years ago
- Target version changed from Katello 3.10.0 to Katello Backlog
Updated by Walden Raines about 5 years ago
- Is duplicate of Bug #25010: Unhelpful error message when user with Viewer role visits Subscriptions page added
Updated by Walden Raines about 5 years ago
- Status changed from New to Duplicate
This will be fixed with the changes in #25010.