ACL who can add a host to hostgroup.
With foreman 1.4 if a user had edit rights to a host due to a filter applied to a subset of hostgroups
- Move a host to any hostgroup via API
- however when editing via web interface they were at least only
presented with hosgroups to which they were enabled in filter.
With foreman 1.5 the first point is still true that via API a host can be put in any hostgroup
but also the drop down box contains all hostgroups so it's a bit more obvious.
Having set up a role like the following with 1.5.
|hostgroup||view_hostgroups, create_hostgroups, edit_hostgroups, destroy_hostgroups||title = cvmfs or title ~ cvmfs/%|
|Host/managed||view_hosts, create_hosts, destroy_hosts, console_hosts, build_hosts, edit_hosts, ipmi_boot, power_hosts, puppetrun_hosts||hostgroup_title = cvmfs or hostgroup_title ~ cvmfs/%|
You also get the slightly bizare consequence that a user can edit a host in such a way that they then no longer
have access to it.
The RFE is to request to somehow control which hostgroups a user is permitted to put hosts in. Returning to old
1.4 behaviour where the drop down box was limited to hostgroups that can be viewed would also be good.
#2 Updated by Dominic Cleal almost 6 years ago
- Tracker changed from Bug to Feature
- Subject changed from RFE - ACL who can add a host to hostgroup. to ACL who can add a host to hostgroup.
#4477 and related bugs have some discussion about this, it's something we're beginning to look at across the application (associated resources).
#9 Updated by Nacho Barrientos over 3 years ago
Is the patch fixing this issue  preventing users from creating hosts via the API in the hostgroup of their choice no matter what are the roles assigned to the caller?
We haven't backported the patch yet to verify ourselves, but at a glance it does not seem to fix the issue described above by Steve.
#11 Updated by Marek Hulán over 3 years ago
Ok, I thought it returned the described 1.4 behavior. So if I understand you correctly, to fix this issue we need to add permissions checking for hostgroups being assigned to host. Is it desirable to control it via view_hostgroup permission or create_host permission?
EDIT: or even new host group permission called "assign_to_host"?