Project

General

Profile

Actions

Bug #33371

closed

Non-admin users can not list their Personal Access Tokens

Added by Dominik Matoulek about 3 years ago. Updated about 3 years ago.

Status:
Closed
Priority:
Normal
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Yes
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1996048

Description of problem:
Non-admin users are unable to see the Personal Access Tokens that they created.

Adding the `view_users` permission to the non-admin user fixes the issue.
However, the user should be able to list his tokens without the need of assigning the `view_users` permission that exposes the user list to the non-admin user.
Exposing the user list might not be acceptable in some customer environments.

Version-Release number of selected component (if applicable):
foreman-2.5.2.4-1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. create a role with Personal access token filter

and unrestricted permissions

view_personal_access_tokens, create_personal_access_tokens, revoke_personal_access_tokens

2. assign a role to non-admin user
3. log out and log in as a non-admin user
4. username -> my account -> personal access tokens tab
5. create a token
6. click Submit and go back to username -> my account -> personal access tokens tab to list the tokens

Actual results:
The non-admin user is not able to list its Personal access tokens without having the `view_users` permission assigned.

Expected results:
The non-admin user is able to list its Personal access tokens without having the `view_users` permission assigned.

Actions

Also available in: Atom PDF