Bug #6070
open
view_compute_resources + power_compute_resource_vms permission provides access to all vms
Description
The view_compute_resources is required for users to select the compute resource to deploy on when creating a new host. If the user has access to power_compute_resource_vms, they can go into the compute resources "Virtual Machines" tab and power VMs which they shouldn't have access to. I assume this is the same for deleting hosts as well but I haven't tested it. Perhaps there needs to be another permission called "deployon_compute_resource" which allows users to select the compute resources in the host creation page but not browse the compute resource page.
Currently on 1.5.0
Updated by Dominic Cleal over 10 years ago
- Category changed from Compute resources to Users, Roles and Permissions
Updated by Rich Boyce over 7 years ago
We are also seeing this bug, in Foreman version 1.14.2. A user with this combination of rights can power off a VM that it does not have rights over in Foreman.