Project

General

Profile

Actions

Bug #9506

closed

Filter with permission edit_config_groups is not actually limited by search expression

Added by Roland Leissl almost 10 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Users, Roles and Permissions
Target version:
Difficulty:
medium
Triaged:
Fixed in Releases:
Found in Releases:

Description

I try to restrict access to specific config groups for a specific user. The new role should be able to filter the available config groups through their names. Therefore this user should not be able to change production relevant config groups.
I would need to use this feature in a real world DevOps scenario.

- create a new role and add filter 1 for host class permissions.
- select items "edit_classes" for filter 1.
- create filter 2 with config group permissions.
- select items "view_config_groups" and "edit_config_groups" for filter 2.
- uncheck unlimited checkbox for filter 2.
- enter search expression into search textbox like "name != production-apache" for filter 2.
- associate the role with restricted user.
- create config group with a name like "production-apache"
- login with the restricted user.
- on the menu go to configure - config groups.

expected result -> the user should not be able to view or edit config groups with the string "production" in their names.
actual problem -> the user is allowed to view and edit all config groups, even ones with matching names to the exclusion search expression.

Thanks for your attention,
Roland


Related issues 1 (1 open0 closed)

Related to Foreman - Bug #10923: Permission behaviour not consistentNew06/24/2015Actions
Actions

Also available in: Atom PDF