[katello-devel] user creation permissions
Partha Aji
paji at redhat.com
Tue Nov 6 19:57:02 UTC 2012
----- Original Message -----
> From: "Adam Price" <adprice at redhat.com>
> To: katello-devel at redhat.com
> Sent: Tuesday, November 6, 2012 1:08:16 PM
> Subject: [katello-devel] user creation permissions
>
> hey folks,
>
> so i have a bug [1], and it goes like this
>
> 1. create a Role containing only a global permission allowing all
> actions on Users.
> 2. attach this role to a user (let's call him 'bob')
> 3. log in as 'bob' and attempt to create a new user called 'jim'
> 4. select the default Organization to put 'jim' in
> 5. watch Environment selector spin forever
>
> per my comment on the bug:
>
> "if the creating user doesn't have organization-viewing permissions,
> then i think he/she shouldn't be able to see the list of
> organizations.
> So effectively (with only User permissions) the creating user should
> only be able to create Users, but not assign Organizations and
> Environments."
>
> does anyone agree or disagree?
>
> a user shouldn't be able to see the list of orgs if they don't have
> org-viewing permissions.
>
> In this particular case, if we prevent the user from selecting an
> organization (because he/she doesn't have permission), then
> we won't have to deal with the environment selector at all, but we
> still should make
> sure the spinner never gets stuck.
>
> thoughts?
>
>
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=873302
>
> --
> Adam Price
So investigating this with Adam I found that we have been using the following "Rules of Engagement" for create and edit users.
https://github.com/Katello/katello/commit/95624038c590c34897b5aaeb83fc2100b207da6f
"""
Rules of engagement with respect to default environments
Administrator = Admin
User Being Modified = X
Page -> Administration->Users -> X-> Environments
1) Admin with "create/modify users" perm should be able to see all the
Organizations and Environments in drop down and update user X's orgs &
environments.
2) Admin with only "read users" perm should not be edit/update
orgs/environments of user X. The only exception to this rule is case
where Admin = X, i.e. Admin is editing himself. In this case the Admin
should be only able to see orgs & environments that Admin himself can register
systems to.
3) X editing himself via top right-> <username>-> environments. In
this case X should be only able to see orgs & environments that X himself can
register systems to.
"""
Given this I propose the following step 1 to resolve this bug (admin with create/mod should be able to access the environments of the orgs)
More information about the katello-devel
mailing list