Project

General

Profile

Actions
Copy link

Bug #6760

open

Models should ensure the authorization of associated objects before associating them to the model

Added by Eric Helms over 10 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
1126840
Pull request:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

While this issue is systematic, I'll provide an example using domains and subnets to illustrate the problem.

As an admin:
1. Create a new domain: "example.org"
2. Create a User: "testuser"
3. Create a new Role: "Subnets Role"
4. Add a Filter to the Role with - Type: Subnets, Permissions: create_subnets, view_subnets

As testuser:

curl -u testuser:testuser -X POST -d '{"name": "subnet1", "network": "255.168.192.1", "mask": "255.255.255.0", "domains": [{"id": 1}]}' -H "Content-Type: application/json" http://10.13.129.41:3000/api/v2/subnets

Related issues 5 (2 open3 closed)

Related to Foreman - Feature #4477: Improve permissions on resources in host creation/editing formClosedTomer Brisker02/27/2014Actions
Related to Foreman - Bug #7221: Edit organization displays associated resources for use w/o permissionsClosedThomas McKay08/21/2014Actions
Related to Foreman - Bug #7337: organizations UI does not filter resources to associate based upon RBACClosedTomer Brisker09/03/2014Actions
Related to Foreman - Feature #7289: ACL who can add a host to hostgroup.New08/28/2014Actions
Blocks Katello - Bug #5720: Roles: Add scopes to finds in converted controllersNewEric HelmsActions
Actions
Copy link

Also available in: Atom PDF