Bug #960
closed
User without admin rights is not able to delete reports
Description
A user with rights to "Edit Host" is able to delete the host but doesn't seem to have rights to delete the reports ... Deleting a host with that user will slightly break the DB giving you a 500 when you generate reports with the "orphan" host ID.
PS.: I've tested this with the latest stable (0.2) and noticed the "last login" info for the user without admin rights is also not updated.
PS2.: "Nice to have" (not a "must"): It would be nicer if foreman would not crash with the orphan ID, but inform you about that (at the error msg or at the specific report "row" self).
Updated by Ohad Levy almost 13 years ago
can you please see if the following patch solves your problem?
regarding the other topics, please open a bug for each issue... thanks!
diff --git a/app/models/report.rb b/app/models/report.rb
index e53e344..e6e14da 100644
--- a/app/models/report.rb
+++ b/app/models/report.rb
@@ -292,7 +292,11 @@ class Report < ActiveRecord::Base
# Anyone can create a report
return true if operation == "create"
- return true if operation == "destroy" and User.current.allowed_to?(:destroy_reports)
+ user = User.current
+ if operation == "destroy"
+ return true if user.allowed_to?(:destroy_reports)
+ return true if user.allowed_to?(:destroy_hosts) and (user.filtering? and Host.my_hosts(user).include?(host))
+ end
errors.add_to_base "You do not have permission to #{operation} this report"
false
Updated by Ohad Levy almost 13 years ago
- Status changed from New to Feedback
- Assignee changed from Ohad Levy to Marcello de Sousa
did you have time to try the above patch?
Updated by Marcello de Sousa almost 13 years ago
Sorry. I think I took some conclusions a bit too fast... I just got an error. Will test it more extensively and let you know.
Updated by Marcello de Sousa over 12 years ago
I could not get this to work. Is it possible for someone else to test it ?
Updated by Ohad Levy over 12 years ago
- Subject changed from User without admin rights is not able to detele reports to User without admin rights is not able to delete reports
Updated by Marcello de Sousa over 12 years ago
- Assignee changed from Marcello de Sousa to Ohad Levy
I've tested this patch above again with the latest develop and I can confirm it is not working.
When I delete a host without admin rights, the host is removed from the DB but the reports stay there with "orphan" host IDs and it breaks the UI reports screen with the error :
host_reports_url failed to generate from {:action=>"index", :controller=>"reports"} - you may have ambiguous routes, or you may need to supply additional parameters for this route. content_url has the following required parameters: ["hosts", :host_id, "reports"] - are they all satisfied? ActionView::TemplateError ,
(eval):17:in `host_reports_path'
app/views/reports/_list.html.erb:19
app/views/reports/_list.html.erb:16:in `each'
app/views/reports/_list.html.erb:16
app/views/reports/index.html.erb:3
Updated by Benjamin Papillon over 11 years ago
- Status changed from Feedback to Assigned
Updated by Anonymous over 10 years ago
- Description updated (diff)
I think this is fixed. When the destroy_reports permission is assigned, users can destroy/delete hosts without problems in 1.3.1.
Updated by Dominic Cleal about 10 years ago
- Status changed from Assigned to Feedback
- Assignee deleted (
Ohad Levy)
Verified in Foreman 1.5 too, associated reports are getting destroyed even when the user only has the destroy_hosts permission and no report permissions.
Updated by Dominic Cleal over 9 years ago
- Status changed from Feedback to Resolved