Project

General

Profile

Actions

Bug #960

closed

User without admin rights is not able to delete reports

Added by Marcello de Sousa over 13 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

A user with rights to "Edit Host" is able to delete the host but doesn't seem to have rights to delete the reports ... Deleting a host with that user will slightly break the DB giving you a 500 when you generate reports with the "orphan" host ID.

PS.: I've tested this with the latest stable (0.2) and noticed the "last login" info for the user without admin rights is also not updated.

PS2.: "Nice to have" (not a "must"): It would be nicer if foreman would not crash with the orphan ID, but inform you about that (at the error msg or at the specific report "row" self).


Related issues 3 (0 open3 closed)

Related to Foreman - Bug #1064: "last login" info for a user without admin rights is not updatedClosed07/24/2011Actions
Related to Foreman - Feature #1067: Expose error messages in the web GUIClosedOhad Levy07/24/2011Actions
Related to Foreman - Bug #1137: Host was deleted but facts are not gone.ClosedOhad Levy08/30/2011Actions
Actions #1

Updated by Ohad Levy over 13 years ago

  • Target version changed from 0.3 to 0.4
Actions #2

Updated by Ohad Levy over 13 years ago

can you please see if the following patch solves your problem?

regarding the other topics, please open a bug for each issue... thanks!

diff --git a/app/models/report.rb b/app/models/report.rb
index e53e344..e6e14da 100644
--- a/app/models/report.rb
+++ b/app/models/report.rb
@@ -292,7 +292,11 @@ class Report < ActiveRecord::Base

     # Anyone can create a report
     return true if operation == "create" 
-    return true if operation == "destroy" and User.current.allowed_to?(:destroy_reports)
+    user = User.current
+    if operation == "destroy" 
+      return true if user.allowed_to?(:destroy_reports)
+      return true if user.allowed_to?(:destroy_hosts) and (user.filtering? and Host.my_hosts(user).include?(host))
+    end

     errors.add_to_base "You do not have permission to #{operation} this report" 
     false
Actions #3

Updated by Ohad Levy over 13 years ago

  • Status changed from New to Feedback
  • Assignee changed from Ohad Levy to Marcello de Sousa

did you have time to try the above patch?

Actions #4

Updated by Marcello de Sousa over 13 years ago

Just tested it and it works!

Actions #5

Updated by Marcello de Sousa over 13 years ago

Sorry. I think I took some conclusions a bit too fast... I just got an error. Will test it more extensively and let you know.

Actions #6

Updated by Marcello de Sousa over 13 years ago

I could not get this to work. Is it possible for someone else to test it ?

Actions #7

Updated by Ohad Levy over 13 years ago

  • Subject changed from User without admin rights is not able to detele reports to User without admin rights is not able to delete reports
Actions #8

Updated by Marcello de Sousa about 13 years ago

  • Assignee changed from Marcello de Sousa to Ohad Levy

I've tested this patch above again with the latest develop and I can confirm it is not working.

When I delete a host without admin rights, the host is removed from the DB but the reports stay there with "orphan" host IDs and it breaks the UI reports screen with the error :

host_reports_url failed to generate from {:action=>"index", :controller=>"reports"} - you may have ambiguous routes, or you may need to supply additional parameters for this route. content_url has the following required parameters: ["hosts", :host_id, "reports"] - are they all satisfied? ActionView::TemplateError , 
(eval):17:in `host_reports_path' 
app/views/reports/_list.html.erb:19 
app/views/reports/_list.html.erb:16:in `each' 
app/views/reports/_list.html.erb:16 
app/views/reports/index.html.erb:3
Actions #9

Updated by Ohad Levy about 13 years ago

  • Target version deleted (0.4)
Actions #10

Updated by Benjamin Papillon almost 12 years ago

  • Status changed from Feedback to Assigned
Actions #11

Updated by Anonymous almost 11 years ago

  • Description updated (diff)

I think this is fixed. When the destroy_reports permission is assigned, users can destroy/delete hosts without problems in 1.3.1.

Actions #12

Updated by Dominic Cleal over 10 years ago

  • Status changed from Assigned to Feedback
  • Assignee deleted (Ohad Levy)

Verified in Foreman 1.5 too, associated reports are getting destroyed even when the user only has the destroy_hosts permission and no report permissions.

Actions #13

Updated by Dominic Cleal over 10 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF