Story #8160
as a user with 'auth.change_group' permission i can POST /pulp/api/v3/groups/3/users/
Start date:
Due date:
% Done:
100%
Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Quarter:
Description
Looks like pulpcore 3.10.0.dev is not providing a default access policy for /pulp/api/v3/groups/<id>/users/
and as a result non-admin users can't modify users in a group using that URL.
Related issues
Associated revisions
History
#1
Updated by dkliban@redhat.com about 1 month ago
- Copied from Story #8159: as a user with 'auth.view_group' permission i can GET /pulp/api/v3/groups/ added
#2
Updated by ipanova@redhat.com about 1 month ago
- Sprint/Milestone set to 3.10.0
#3
Updated by mdellweg about 1 month ago
- Status changed from NEW to ASSIGNED
- Assignee set to mdellweg
#4
Updated by mdellweg about 1 month ago
- Tracker changed from Issue to Story
- Subject changed from user with 'auth.change_group' permission receives 403 on POST /pulp/api/v3/groups/3/users/ to as a user with 'auth.change_group' permission i can POST /pulp/api/v3/groups/3/users/
- % Done set to 0
- Severity deleted (
2. Medium) - Triaged deleted (
No)
#5
Updated by pulpbot about 1 month ago
- Status changed from ASSIGNED to POST
#6
Updated by mdellweg about 1 month ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|1127e5c63d4154d57237b7886e9deb5526b21881.
Please register to edit this issue
Add RBAC to the group users endpoint
fixes #8160 https://pulp.plan.io/issues/8160