Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1066586 - NDA setting prevents ACL's from working
Summary: NDA setting prevents ACL's from working
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Community
Component: web UI
Version: 0.15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: 0.15.5
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-18 16:43 UTC by Bill Peck
Modified: 2018-02-06 00:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-03-03 01:33:40 UTC


Attachments (Terms of Use)

Description Bill Peck 2014-02-18 16:43:32 UTC
Description of problem:

We have some systems in beaker that have been set to NDA/Secret and even though the ACL's say that users in a particular group should have access to reserve and edit the system they can't even see the system.

Version-Release number of selected component (if applicable):
0.15.3

How reproducible:
Every time.  

Steps to Reproduce:
1. User A own system A and NDA checked
2. Add group B to System A and User B
3. Add all permissions for group B

Actual results:
User B will not be able to see System A

Expected results:
User B should be able to see and use system.

Additional info:
If system is loaned to User B then user can edit and use system based on the ACL's.

Comment 3 Dan Callaghan 2014-02-19 00:02:18 UTC
This is an RFE rather than a regression, right? The current behaviour matches the previous behaviour in 0.14, namely that secret systems are only visible to the owner and to the person who they are loaned to.

Anyway this is already fixed in the upcoming 0.16 release by replacing the Secret checkbox with a "view" permission in the access policy.

http://git.beaker-project.org/cgit/beaker/commit/?id=c6101de1f657b3127f55e69674305984a9414e23

Comment 4 Bill Peck 2014-02-19 01:43:42 UTC
It is a regression.  One of the very confusing overloading of groups in beaker pre 0.15.

What is the ETA on 0.16?  

Thanks

Comment 5 Dan Callaghan 2014-02-19 04:49:20 UTC
Ahhh yes you're right, not sure how I missed that. In 0.14 and earlier, private systems were visible to group members (as well as owner, user, loan recipient, admins, and accounts with secret_visible permission).

Comment 6 Nick Coghlan 2014-02-19 07:43:24 UTC
We're hoping to have 0.16rc1 ready for testing next week, but we'll also come up with a patch for 0.15 that adds an implied "view" permission as part of having the "reserve" permission.

That way, even if there are delays in getting 0.16 published, there'll still be a patch that can be used to hot fix this issue in 0.15 deployments.

Comment 7 Dan Callaghan 2014-02-19 07:44:14 UTC
I think we can fix this for the 0.15.x series by allowing anybody with "reserve" permission to see secret systems. That should be equivalent to the old behaviour in 0.14, since we migrated system groups to be a grant of "reserve" permission in the access policy.

In 0.16+ the real fix will be the new "view" permission.

Comment 8 Dan Callaghan 2014-02-20 04:51:08 UTC
On Gerrit: http://gerrit.beaker-project.org/2823

Comment 11 Nick Coghlan 2014-03-03 01:33:40 UTC
This was fixed with the release of Beaker 0.15.5.


Note You need to log in before you can comment on or make changes to this bug.