Bug #29914: User without view_organization permission cannot switch organization - Foreman

Bug #29914

User without view_organization permission cannot switch organization

Added by Tomer Brisker almost 3 years ago. Updated about 2 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Amir Fefer

Category:

Organizations and Locations

Target version:

Difficulty:

easy

Triaged:

Bugzilla link:

Pull request:

https://github.com/theforeman/foreman/pull/7824

Fixed in Releases:

2.4.0

Found in Releases:

1.20.0

Red Hat JIRA:

Description

The top bar menu is only shown if the user has the permission which is incorrect, a user with more than one organization should be able to change their organization even without the permission.
Same is true for locations.
The source of the issue is a check for "show_{taxonomy}_tab" which is used on edit forms and shouldn't be used by the selector.

Related issues

Associated revisions

Revision 0c894d31 (diff)
Added by Amir Fefer about 2 years ago

Fixes #29914 - show taxonomy switcher when no view permission

History

#1 Updated by Tomer Brisker almost 3 years ago

Difficulty set to easy

#2 Updated by Marek Hulán almost 3 years ago

I don't think we should support such inconsistency, I'd rather grant such permission by assigning user to the organization. Note that we're probably checking view_organizations on many other places (host form selection, multi selects in objects forms, audits list).

The other option, which I like less, is, authz helpers returning true in case user is assigned to a given org.

#3 Updated by Tomer Brisker almost 3 years ago

The case here is when a user is assigned to two organizations without view_organization, they can't change to a different organization because the dropdown isn't displayed. this is a regression of the nav bar reimplementation in react, previously the navbar did show the option to change locations (e.g.: https://github.com/theforeman/foreman/blob/1.19-stable/app/views/home/_location_dropdown.html.erb)