Problem:
I faced strange issue with hostgroups, puppetclasses and user permissions.
Example:
There is puppetclass with three hostgroups: A, B and C.
User can view and edit only B and C hostgroups.
User makes some changes in puppetclass parameters and saves them.
After that puppetclass have only two hostgroups: B and C.
User’s role restricts user to view only B and C groups, but allows unlimited editing of puppetclasses.
I want to know how is it normal behavior or some weird bug? Any workaround for this situation? I have only two ideas for the moment: give a administration rights to all users or let all users view and edit all hostgroups. Does anyone has better ideas?
After that list of puppetclasses hostgroups contains only that hostgroup which contains selected organization or location. So when puppetclass saved, it lost all other hostgroups.
Can anyone else confirm that? Should I open an issue on Foreman bugtracker? Does anyone have any similar issues with that organizatioin/location filters?
So, I made a further investigate and was able to reproduce this bug.
It can be reproduced with any new users even without filters from my last comment.
Role grants restricted permissions to hostgroups (can edit and view only hostgroup with specific organization) and unlimited rights to edit puppetclasses.
Steps to reproduce:
Assign puppetclass to some different hostgroups.
Login as user who is allowed to edit puppetclasses, but can edit only some of hostgroups from step 1.
Open a puppetclass from step 1, make any changes and press “submit”.
Now log in as admin and see that puppetclass assigned only to that hostgroups that user from step 2 can edit. All other hostgroups are gone.
If user edits a puppetclass and doesn’t have rights to all groups which assigned to this puppetclass, then when saving the puppetclass, groups that are inaccessible to the user will be removed from the class.
