Project

General

Profile

Bug #32826

Non-admin user can not revoke user access token, attempt ends with 404

Added by Štefan Németh about 2 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
High
Assignee:
Ondřej Ezr
Category:
Users, Roles and Permissions
Target version:
2.5.1
Difficulty:
Triaged:
No
Bugzilla link:
1974685
Pull request:
https://github.com/theforeman/foreman/pull/8602, https://github.com/theforeman/foreman/pull/8616
Fixed in Releases:
2.5.1, 3.0.0
Found in Releases:
Nightly

Description

1. create role with Personal access token filter

and unrestricted permissions

view_personal_access_tokens, create_personal_access_tokens, revoke_personal_access_tokens

2. assign a role to non-admin user
3. username -> my account -> personal access tokens tab
4. create a token
5. try to revoke it

Associated revisions

Revision 4d4804b5 (diff)
Added by Ondřej Ezr about 2 months ago

Fixes #32826 - nonadmin users able to revoke tokens (#8602)

Nonadmin users were not able to revoke tokens as we were using wrong
permission for that. This uses the corect (`revoke`) permission instead
of `destroy` for revoking the user tokens.

History

#1 Updated by The Foreman Bot about 2 months ago

  • Assignee set to Ondřej Ezr
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8602 added

#2 Updated by Ondřej Ezr about 2 months ago

This doesn't work through API neighter.

#3 Updated by The Foreman Bot about 2 months ago

  • Fixed in Releases 3.0.0 added

#4 Updated by The Foreman Bot about 2 months ago

  • Fixed in Releases deleted (3.0.0)

#5 Updated by Ondřej Ezr about 2 months ago

  • Status changed from Ready For Testing to Closed

#6 Updated by Tomer Brisker about 1 month ago

  • Fixed in Releases 3.0.0 added

#7 Updated by Tomer Brisker about 1 month ago

  • Category set to Users, Roles and Permissions
  • Subject changed from Non-admin user can not revoke user access toke, attempt ends with 404 to Non-admin user can not revoke user access token, attempt ends with 404

#8 Updated by Ondřej Ezr about 1 month ago

  • Bugzilla link set to 1974685

#9 Updated by Tomer Brisker about 1 month ago

  • Target version set to 2.5.1

#10 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman/pull/8616 added

#11 Updated by Tomer Brisker about 1 month ago

  • Fixed in Releases 2.5.1 added

Also available in: Atom PDF