Bug #38727
closed
Autocomplete feature for search shows content that should be forbidden by RBAC
Added by Adam Ruzicka 5 months ago.
Updated 5 months ago.
Description
1. Create domain called foo
2. Create a domain called bar
3. Create a role
4. Add view_domains permission to it, limit it by search to name ~ f*
5. Create a user
6. Give the role to the user
7. Log in as user
8. Go to infrastructure > domains
9. Put name = into the search bar
Expected results:
Autocomplete offers only domain foo.
Actual results:
Autocomplete offers both bar and foo domains.
Related issues
2 (2 open — 0 closed)
- Related to Bug #37531: Autocomplete feature for search shows content from forbidden organization for user added
This issue talks about things which should be explicitly allowed (or forbidden) by RBAC, while 37531 talks about taxonomy scoping.
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10645 added
- Red Hat JIRA set to SAT-36586
- Fixed in Releases 3.17.0 added
- Status changed from Ready For Testing to Closed
- Target version set to 3.16.1
- Related to Bug #38656: Autocomplete feature for search shows content from forbidden organization for user added
Also available in: Atom
PDF
Updated by 
Updated by