MAAS

[2.5, RBAC] Pool admins shouldn't be allowed to delete the pool

Bug #1812239 reported by Björn Tillenius
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
Fix Released
High
Alberto Donato
MAAS 2.5.1

Bug Description

This is with MAAS 2.5.1-7489-g2f25a2cc0-0ubuntu1~18.04.1 with RBAC enabled..

I have a user that has the Admin role on a single pool.

He's allowed to delete that pool, which he shouldn't.

Only users that have the Admin role in the 'all' resource pool scope
should be allowed to delete resource pools.

The reason is that you should always be allowed to undo something.
If you have permission to delete something, you should have permission
to recreate it.

See original description
Tags: rbac

Related branches

~ack/maas:backport-fix-1812239
Alberto Donato (community): Approve
Diff: 294 lines (+58/-37)
16 files modified
src/maasserver/api/resourcepools.py (+2/-1)
src/maasserver/api/tests/test_resourcepool.py (+10/-5)
src/maasserver/forms/__init__.py (+1/-0)
src/maasserver/models/__init__.py (+5/-1)
src/maasserver/permissions.py (+1/-0)
src/maasserver/rbac.py (+11/-0)
src/maasserver/static/js/angular/controllers/nodes_list.js (+2/-5)
src/maasserver/static/js/angular/controllers/tests/test_nodes_list.js (+5/-19)
src/maasserver/static/js/bundle/maas-min.js (+1/-1)
src/maasserver/static/js/bundle/maas-min.js.map (+1/-1)
src/maasserver/static/partials/nodes-list.html (+1/-1)
src/maasserver/tests/test_rbac.py (+10/-0)
src/maasserver/websockets/handlers/resourcepool.py (+1/-1)
src/maasserver/websockets/handlers/tests/test_resourcepool.py (+3/-2)
src/maasserver/websockets/handlers/tests/test_user.py (+2/-0)
src/maasserver/websockets/handlers/user.py (+2/-0)
~ack/maas:fix-rpool-delete-perm-rbac
Lee Trager (community): Approve
MAAS Lander: Approve
Diff: 276 lines (+56/-35)
14 files modified
src/maasserver/api/resourcepools.py (+2/-1)
src/maasserver/api/tests/test_resourcepool.py (+10/-5)
src/maasserver/forms/__init__.py (+1/-0)
src/maasserver/models/__init__.py (+5/-1)
src/maasserver/permissions.py (+1/-0)
src/maasserver/rbac.py (+11/-0)
src/maasserver/static/js/angular/controllers/nodes_list.js (+2/-5)
src/maasserver/static/js/angular/controllers/tests/test_nodes_list.js (+5/-19)
src/maasserver/static/partials/nodes-list.html (+1/-1)
src/maasserver/tests/test_rbac.py (+10/-0)
src/maasserver/websockets/handlers/resourcepool.py (+1/-1)
src/maasserver/websockets/handlers/tests/test_resourcepool.py (+3/-2)
src/maasserver/websockets/handlers/tests/test_user.py (+2/-0)
src/maasserver/websockets/handlers/user.py (+2/-0)
Björn Tillenius (bjornt)
tags: added: rbac
description: updated
Changed in maas:
status: New → Triaged
milestone: none → 2.5.1
importance: Undecided → High
Alberto Donato (ack)
Changed in maas:
status: Triaged → In Progress
assignee: nobody → Alberto Donato (ack)
MAAS Lander (maas-lander)
Changed in maas:
status: In Progress → Fix Committed
Andres Rodriguez (andreserl)
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.