Project

General

Profile

Actions
Copy link

Feature #6321

closed

Bastion pages should enforce permissions when entering the page

Added by Walden Raines over 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Walden Raines
Category:
Web UI
Target version:
Katello 2.0
Difficulty:
medium
Triaged:
Yes
Bugzilla link:
1111695
Pull request:
https://github.com/Katello/katello/pull/4382
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1111695
Description of problem:

In other words you can copy/paste a URL and visit a Bastion page directly even if you don't have permissions to visit that page.

Version-Release number of selected component (if applicable):

Latest.

How reproducible:

Always.

Steps to Reproduce:
1. Create a role
2. Add a single filter to the role
3. Create a user
4. Add the role from step 1 to the user
5. Logout
6. Login as the user from step 3
7. Visit another bastion page not governed by the permission created in step 2
8. Note you can access the page (but nothing is displayed as the REST calls result in 403s).

Actual results:

You can access the page (but nothing is displayed as the REST calls result in 403s).

Expected results:

A message that tells the user they don't have permission to view this page
Additional info:

Related issues 1 (0 open1 closed)

Related to Katello - Feature #5217: As a user, I should have CRUD permissions for all entities that are exposed to me.Closed04/16/2014Actions
Actions
Copy link

Also available in: Atom PDF