|Summary:||NDA setting prevents ACL's from working|
|Product:||[Community] Beaker||Reporter:||Bill Peck <bpeck>|
|Component:||web UI||Assignee:||Dan Callaghan <dcallagh>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||tools-bugs <tools-bugs>|
|Version:||0.15||CC:||aigao, asaha, dcallagh, jburke, llim, pbunyan, rmancy, xjia|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2014-03-03 01:33:40 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Bill Peck 2014-02-18 16:43:32 UTC
Description of problem: We have some systems in beaker that have been set to NDA/Secret and even though the ACL's say that users in a particular group should have access to reserve and edit the system they can't even see the system. Version-Release number of selected component (if applicable): 0.15.3 How reproducible: Every time. Steps to Reproduce: 1. User A own system A and NDA checked 2. Add group B to System A and User B 3. Add all permissions for group B Actual results: User B will not be able to see System A Expected results: User B should be able to see and use system. Additional info: If system is loaned to User B then user can edit and use system based on the ACL's.
Comment 3 Dan Callaghan 2014-02-19 00:02:18 UTC
This is an RFE rather than a regression, right? The current behaviour matches the previous behaviour in 0.14, namely that secret systems are only visible to the owner and to the person who they are loaned to. Anyway this is already fixed in the upcoming 0.16 release by replacing the Secret checkbox with a "view" permission in the access policy. http://git.beaker-project.org/cgit/beaker/commit/?id=c6101de1f657b3127f55e69674305984a9414e23
Comment 4 Bill Peck 2014-02-19 01:43:42 UTC
It is a regression. One of the very confusing overloading of groups in beaker pre 0.15. What is the ETA on 0.16? Thanks
Comment 5 Dan Callaghan 2014-02-19 04:49:20 UTC
Ahhh yes you're right, not sure how I missed that. In 0.14 and earlier, private systems were visible to group members (as well as owner, user, loan recipient, admins, and accounts with secret_visible permission).
Comment 6 Nick Coghlan 2014-02-19 07:43:24 UTC
We're hoping to have 0.16rc1 ready for testing next week, but we'll also come up with a patch for 0.15 that adds an implied "view" permission as part of having the "reserve" permission. That way, even if there are delays in getting 0.16 published, there'll still be a patch that can be used to hot fix this issue in 0.15 deployments.
Comment 7 Dan Callaghan 2014-02-19 07:44:14 UTC
I think we can fix this for the 0.15.x series by allowing anybody with "reserve" permission to see secret systems. That should be equivalent to the old behaviour in 0.14, since we migrated system groups to be a grant of "reserve" permission in the access policy. In 0.16+ the real fix will be the new "view" permission.
Comment 11 Nick Coghlan 2014-03-03 01:33:40 UTC
This was fixed with the release of Beaker 0.15.5.