Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163614 - Java Security for Errata
Summary: Java Security for Errata
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Network
Classification: Red Hat
Component: RHN/R&D
Version: RHN Devel
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Ken Ganong
QA Contact: Mike McCune
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-07-19 14:49 UTC by Ken Ganong
Modified: 2007-04-18 17:29 UTC (History)
1 user (show)

Fixed In Version: RHN 4.0.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-09-01 02:53:57 UTC


Attachments (Terms of Use)

Description Ken Ganong 2005-07-19 14:49:04 UTC
Currently the java stack doesn't test whether a user has access to view an
erratum before looking it up.  The result is that a user could type in the eid
in the url for the Errata Details page and view an erratum that he or she does
not have access to view.

Comment 1 Mike McCune 2005-07-22 21:19:02 UTC
Ken, this will need a testplan.

Comment 2 Ken Ganong 2005-07-25 13:14:06 UTC
Test Plan:

First, find an id for an erratum some user cannot view.  An erratum is viewable
by anyone in an org that has permissions to a channel in which that erratum is.

Log in as the user that cannot view the selected erratum.  Go to Errata->Click
an Erratum->Modify the url so that the eid parameter is the selected,
non-viewable erratum.  This can be done on every java page that shows details
about errata.

Expected Results:  A Lookup error page.
Failure Results:  Errata Details

Comment 3 Mike McCune 2005-08-01 18:42:53 UTC
will QA this.

Comment 4 Mike McCune 2005-08-01 21:56:27 UTC
works fine, tested each of the errata java pages.  prod_ready. 


Note You need to log in before you can comment on or make changes to this bug.