MAAS

[UI] Remove Image button (for custom images) is presented to non-Admin users

Bug #1798242 reported by Trent Lloyd on 2018-10-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Fix Released	Medium	Newell Jensen	MAAS 2.5.0rc1
	2.4	Triaged	Undecided	Unassigned

Bug Description

When removing a custom image using the "Remove Image" link on the "Images" page - no feedback is given in the UI if this action fails due to lack of permission. After clicking the Remove button to confirm the action, the page stays the same with no feedback and the image is still listed.

An error is logged to the server log but there is no client feedback.

Additionally, the Remove Image link should probably not be presented in such a case.

= Steps to reproduce =

Tested on Bionic, MAAS 2.4.2-7034-g2f5deb8b8-0ubuntu1 from bionic-updates

(1) Upload a custom image using the MAAS CLI as a MAAS administrator
maas admin boot-resources create name=windows/win2012r2 architecture=amd64/generic content@=./path/to/file (you can just use a dummy file)
(2) Create a non-admin user, and login to the web interface with it
(3) Browse to the images tab and select the "Remove Image" link
(4) Observe no change in the UI, reload page, the image is still there
(5) Check regiond.log and observe the error below

2018-10-17 12:15:39 maasserver.websockets.protocol: [critical] Error on request (8) bootresource.delete_image: Permission denied.
Traceback (most recent call last):
   File "/usr/lib/python3.6/threading.py", line 864, in run
     self._target(*self._args, **self._kwargs)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 850, in worker
     return target()
   File "/usr/lib/python3/dist-packages/twisted/_threads/_threadworker.py", line 46, in work
     task()
   File "/usr/lib/python3/dist-packages/twisted/_threads/_team.py", line 190, in doWork
     task()
--- <exception caught here> ---
   File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 250, in inContext
     result = inContext.theWork()
   File "/usr/lib/python3/dist-packages/twisted/python/threadpool.py", line 266, in <lambda>
     inContext.theWork = lambda: context.call(ctx, func, *args, **kw)
   File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 122, in callWithContext
     return self.currentContext().callWithContext(ctx, func, *args, **kw)
   File "/usr/lib/python3/dist-packages/twisted/python/context.py", line 85, in callWithContext
     return func(*args,**kw)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 883, in callInContext
     return func(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/provisioningserver/utils/twisted.py", line 232, in wrapper
     result = func(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 756, in call_within_transaction
     return func_outside_txn(*args, **kwargs)
   File "/usr/lib/python3/dist-packages/maasserver/utils/orm.py", line 563, in retrier
     return func(*args, **kwargs)
   File "/usr/lib/python3.6/contextlib.py", line 52, in inner
     return func(*args, **kwds)
   File "/usr/lib/python3/dist-packages/maasserver/websockets/handlers/bootresource.py", line 834, in delete_image
     assert self.user.is_superuser, "Permission denied."
builtins.AssertionError: Permission denied.

Tags:

Related branches

~newell-jensen/maas:lp1798242

Merged into maas:master

Lee Trager (community): Approve on 2018-11-03

MAAS Lander: Pending (unittests) requested 2018-11-03

Andres Rodriguez (andreserl) on 2018-10-17

summary:	- No UI feedback that removing a custom image failed because the non-admin - user does not have permission + [UI] Remove Image button (for custom images) is presented to non-Admin + users
Changed in maas:
milestone:	none → 2.5.0rc1
importance:	Undecided → Medium
status:	New → Triaged
tags:	added: ui

Revision history for this message

Trent Lloyd (lathiat) wrote on 2018-10-17:

Andres: While the button shouldn't be there, I feel that the error not being presented is likely also a bug in itself. Should that be a separate bug? Not sure if that's an issue with this specific action or a general issue with surfacing errors back to the client.

Andres Rodriguez (andreserl) on 2018-11-02

Changed in maas:
assignee:	nobody → Newell Jensen (newell-jensen)

Newell Jensen (newell-jensen) on 2018-11-02

Changed in maas:
status:	Triaged → In Progress

MAAS Lander (maas-lander) on 2018-11-03

Changed in maas:
status:	In Progress → Fix Committed

Andres Rodriguez (andreserl) on 2018-11-21

Changed in maas:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.