Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-1116

Admin Portal users can view and modify applications that they shouldn't have permissions for

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      1. Create 2 API Services
      2. Create an admin user that only has permissions to manage the first service (see permissions.png)
      3. Sign up a new user for second API service (NOT the one the user has permissions for) and create an application
      4. Sign in to admin portal as user from step 2
      5. Go to Developers tab and observe that admin portal user can see new developer (from step 3) even though the developer does not have a subscription to the service the admin portal user has permissions for (bug 1?)
      6. Click on developer account and observe that user can see application that is not part of service they have permissions for (see account_view.png) (bug 2?)
      7. Click on application and observe that user can actually see and modify this application (see application_view.png) (bug 3?)

      Show
      1. Create 2 API Services 2. Create an admin user that only has permissions to manage the first service (see permissions.png) 3. Sign up a new user for second API service (NOT the one the user has permissions for) and create an application 4. Sign in to admin portal as user from step 2 5. Go to Developers tab and observe that admin portal user can see new developer (from step 3) even though the developer does not have a subscription to the service the admin portal user has permissions for (bug 1?) 6. Click on developer account and observe that user can see application that is not part of service they have permissions for (see account_view.png) (bug 2?) 7. Click on application and observe that user can actually see and modify this application (see application_view.png) (bug 3?)
    • QE Test Coverage:
      +

      Description

      When an admin portal user only has permissions to manage a specific API, they can still easily see and manage developer applications that are not part of that API service.

        Gliffy Diagrams

          Attachments

          1. account_view.png
            account_view.png
            98 kB
          2. application_view.png
            application_view.png
            77 kB
          3. permissions.png
            permissions.png
            74 kB

            Activity

              People

              • Assignee:
                rhn-support-spoole Shannon Poole
                Reporter:
                rhn-support-spoole Shannon Poole
                Tester:
                Jakub Smadis
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: