Bug #6361
closed
menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default
Added by Dominic Cleal almost 10 years ago.
Updated almost 6 years ago.
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1112750
++ This bug was initially created as a clone of Bug #1112182 ++
Description of problem:
I created a simple user in "Any context" mode and did not assign any location, org and roles. But following menus are visible to that user.
Ideally user shouldn't be allowed to have access to any of menu items without any permission. Hosts menu shows "All Hosts" and user can see the created hosts.
Version-Release number of selected component (if applicable):
sat6 beta snap10 compose2
How reproducible:
always
Steps to Reproduce:
1. Login with admin user
2. create a user in "Any context" and do not assign location and org
3. logout with admin user and login with newly created user
Actual results:
User can see Hosts --> All hosts
Expected results:
user shouldn't be allowed to have access to any of menu items without any permission
Additional info:
- Category set to Authentication
Not really "any permission", but all users automatically get the "Anonymous" role added. By default the anonymous role (a terrible name in itself, see #994) grants an unlimited view_hosts permission. This confuses a lot of people and should be removed by default IMHO.
- Related to Refactor #994: The Role default_user is misleading added
- Subject changed from menu item "Hosts --> All hosts" is visible to normal user without any permission to menu item "Hosts --> All hosts" is visible to normal user from anonymous role by default
- Assignee set to Daniel Lobato Garcia
- Status changed from New to Assigned
- Target version set to 1.8.1
- Status changed from Assigned to Ready For Testing
- Related to Bug #5672: Host group filter bypassed due to unlimited view_hosts filter on anonymous role added
- Target version changed from 1.8.1 to 1.8.0
- Pull request https://github.com/theforeman/foreman/pull/1549 added
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
- translation missing: en.field_release set to 10
- Is duplicate of Bug #4641: Deleting user with associated roles triggers PG::NotNullViolation added
- Related to Bug #6926: New user with just anonymous role will get 403 Forbidden upon logon to / (redirected to /hosts) added
- Related to Bug #1632: On login with minimal permissions, user is always taken to host page added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Anonymous 
Updated by