Bug #32826
Non-admin user can not revoke user access token, attempt ends with 404
Status:
Closed
Priority:
High
Assignee:
Category:
Users, Roles and Permissions
Target version:
Pull request:
Found in Releases:
Description
1. create role with Personal access token filter
and unrestricted permissions
view_personal_access_tokens, create_personal_access_tokens, revoke_personal_access_tokens
2. assign a role to non-admin user
3. username -> my account -> personal access tokens tab
4. create a token
5. try to revoke it
Associated revisions
History
#1
Updated by The Foreman Bot 11 months ago
- Assignee set to Ondřej Ezr
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/8602 added
#2
Updated by Ondřej Ezr 11 months ago
This doesn't work through API neighter.
#3
Updated by The Foreman Bot 11 months ago
- Fixed in Releases 3.0.0 added
#4
Updated by The Foreman Bot 11 months ago
- Fixed in Releases deleted (
3.0.0)
#5
Updated by Ondřej Ezr 11 months ago
- Status changed from Ready For Testing to Closed
Applied in changeset foreman|4d4804b57da67646f7cf7d43ef4cd6bd3a59a222.
#6
Updated by Tomer Brisker 11 months ago
- Fixed in Releases 3.0.0 added
#7
Updated by Tomer Brisker 11 months ago
- Category set to Users, Roles and Permissions
- Subject changed from Non-admin user can not revoke user access toke, attempt ends with 404 to Non-admin user can not revoke user access token, attempt ends with 404
#8
Updated by Ondřej Ezr 11 months ago
- Bugzilla link set to 1974685
#9
Updated by Tomer Brisker 11 months ago
- Target version set to 2.5.1
#10
Updated by The Foreman Bot 11 months ago
- Pull request https://github.com/theforeman/foreman/pull/8616 added
#11
Updated by Tomer Brisker 11 months ago
- Fixed in Releases 2.5.1 added
Fixes #32826 - nonadmin users able to revoke tokens (#8602)
Nonadmin users were not able to revoke tokens as we were using wrong
permission for that. This uses the corect (`revoke`) permission instead
of `destroy` for revoking the user tokens.