Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-1116

Admin Portal users can view and modify applications that they shouldn't have permissions for

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Critical
    • None
    • 2.2 GA
    • System
    • +
    • Hide

      1. Create 2 API Services
      2. Create an admin user that only has permissions to manage the first service (see permissions.png)
      3. Sign up a new user for second API service (NOT the one the user has permissions for) and create an application
      4. Sign in to admin portal as user from step 2
      5. Go to Developers tab and observe that admin portal user can see new developer (from step 3) even though the developer does not have a subscription to the service the admin portal user has permissions for (bug 1?)
      6. Click on developer account and observe that user can see application that is not part of service they have permissions for (see account_view.png) (bug 2?)
      7. Click on application and observe that user can actually see and modify this application (see application_view.png) (bug 3?)

      Show
      1. Create 2 API Services 2. Create an admin user that only has permissions to manage the first service (see permissions.png) 3. Sign up a new user for second API service (NOT the one the user has permissions for) and create an application 4. Sign in to admin portal as user from step 2 5. Go to Developers tab and observe that admin portal user can see new developer (from step 3) even though the developer does not have a subscription to the service the admin portal user has permissions for (bug 1?) 6. Click on developer account and observe that user can see application that is not part of service they have permissions for (see account_view.png) (bug 2?) 7. Click on application and observe that user can actually see and modify this application (see application_view.png) (bug 3?)

    Description

      When an admin portal user only has permissions to manage a specific API, they can still easily see and manage developer applications that are not part of that API service.

      Attachments

        1. account_view.png
          98 kB
          Shannon Poole
        2. application_view.png
          77 kB
          Shannon Poole
        3. permissions.png
          74 kB
          Shannon Poole

        Activity

          People

            Unassigned Unassigned
            rhn-support-spoole Shannon Poole
            Jakub Smadis Jakub Smadis (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: