Project

General

Profile

Actions

Bug #30880

closed

Add permission support to validate 404 on denial and multi permissions

Added by Partha Aji over 4 years ago. Updated about 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

The current testing framework does not handle 404s on denial. This behaviour is consistent with foreman, 404 instead of 403 if object not authorized. 403 is only when route is not authorized.
We need to add support to this.
The current authorization does not handle multi permissions also. For example destroy_content_views and promote_or_remove_content_views either support 'removing' a content view. However the controller authorizer does not handle this correctly.


Related issues 1 (0 open1 closed)

Blocks Katello - Tracker #30872: Use proper authorization in controllersClosed

Actions
Actions

Also available in: Atom PDF