Project

General

Profile

Bug #33371

Non-admin users can not list their Personal Access Tokens

Added by Dominik Matoulek 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1996048

Description of problem:
Non-admin users are unable to see the Personal Access Tokens that they created.

Adding the `view_users` permission to the non-admin user fixes the issue.
However, the user should be able to list his tokens without the need of assigning the `view_users` permission that exposes the user list to the non-admin user.
Exposing the user list might not be acceptable in some customer environments.

Version-Release number of selected component (if applicable):
foreman-2.5.2.4-1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. create a role with Personal access token filter

and unrestricted permissions

view_personal_access_tokens, create_personal_access_tokens, revoke_personal_access_tokens

2. assign a role to non-admin user
3. log out and log in as a non-admin user
4. username -> my account -> personal access tokens tab
5. create a token
6. click Submit and go back to username -> my account -> personal access tokens tab to list the tokens

Actual results:
The non-admin user is not able to list its Personal access tokens without having the `view_users` permission assigned.

Expected results:
The non-admin user is able to list its Personal access tokens without having the `view_users` permission assigned.

Associated revisions

Revision 77f4c121 (diff)
Added by Dominik Matoulek 5 months ago

Fixes #33371 - Fixing personal tokens for users

Fixing situation where user can see and revoke own personal tokens
by remove permissions and only user and admin are able to see
personal tokens for given users.

History

#1 Updated by Dominik Matoulek 5 months ago

  • Triaged changed from No to Yes
  • Assignee set to Dominik Matoulek
  • Subject changed from Non-admin users can not list their Personal Access Tokens to Non-admin users can not list their Personal Access Tokens

#2 Updated by Dominik Matoulek 5 months ago

  • Category set to Users, Roles and Permissions

#3 Updated by The Foreman Bot 5 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8745 added

#4 Updated by The Foreman Bot 5 months ago

  • Pull request https://github.com/theforeman/foreman/pull/8763 added

#5 Updated by Ondřej Ezr 5 months ago

  • Pull request deleted (https://github.com/theforeman/foreman/pull/8763)

#6 Updated by The Foreman Bot 5 months ago

  • Fixed in Releases 3.1.0 added

#7 Updated by Dominik Matoulek 5 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF