-
Notifications
You must be signed in to change notification settings - Fork 896
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tenant admin can create a super admin #13291
Comments
This issue should be moved to the classic-ui repo now. The issue is in manageiq-ui-classic/app/controllers/ops_controller/ops_rbac.rb, line 988 @edit[:groups] = MiqGroup.non_tenant_groups_in_my_region.sort_by { |g| g.description.downcase }.collect { |g| [g.description, g.id] } should be
and when saving the user the input should be checked again in rbac_user_validate? I'll try a PR for this. |
Fixed via ManageIQ/manageiq-ui-classic#127 @evertmulder : thanks a lot! |
Thanks for all the help! |
@evertmulder : please, ping me in the issue that you create. I'd like to make sure we resolve this quick. Thx! |
@martinpovolny. every working is as expected using the API. The UI still has an issue: ManageIQ/manageiq-ui-classic#134 and ManageIQ/manageiq-ui-classic#135 |
Fix for #13291, Tenant admin can escalate rights (cherry picked from commit c6b67f5) https://bugzilla.redhat.com/show_bug.cgi?id=1413123
(cherry picked from commit 3ff4ebb).
Steps to reproduce:
This escalates the privileges of a tenant admin to global admin, defeating the tenant separation.
Tested both in darga and euwe
The text was updated successfully, but these errors were encountered: