[2.5, RBAC, API] maas machines list-allocated shows machines the user don't have access to

Bug #1812201 reported by Björn Tillenius on 2019-01-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MAAS
High
Alberto Donato

Bug Description

This is with MAAS 2.5.1-7489-g2f25a2cc0-0ubuntu1~18.04.1 with RBAC enabled.

I have a user that has the User role on a resource pool and allocates a machine to him.
An admin now removes the User role, so that he no long have access to the machines.

The 'machines read' API command confirms that he can't see the machines.

However, if he uses the 'machines list-allocated' command, he can still see
the machine.

Related branches

tags: added: api rbac
Changed in maas:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.5.1
Alberto Donato (ack) on 2019-01-24
Changed in maas:
assignee: nobody → Alberto Donato (ack)
Alberto Donato (ack) on 2019-01-24
Changed in maas:
status: Triaged → In Progress
Changed in maas:
status: In Progress → Fix Committed
Changed in maas:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers