Bug 1326031

Summary: Non-admin user receives permissions error on config_templates API
Product: Red Hat Satellite Reporter: Bryan Kearney <bkearney>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: jcallaha
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.2.0CC: bbuckingham, cwelton, jcallaha
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
URL: http://projects.theforeman.org/issues/14000
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-27 11:29:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bryan Kearney 2016-04-11 15:46:59 UTC 
When using a non-admin user account to access /api/v2/config_templates/1 or any non-index action, the user receives a 404 response due to failing permissions.

<pre>
2016-03-02T08:44:44 [app] [I] Started GET "/api/v2/config_templates/1" for 127.0.0.1 at 2016-03-02 08:44:44 +0000
2016-03-02T08:44:44 [app] [I] Processing by Api::V2::ConfigTemplatesController#show as JSON
2016-03-02T08:44:44 [app] [I]   Parameters: {"apiv"=>"v2", "id"=>"1"}
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   AuthSource Load (0.2ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = ? LIMIT 1  [["id", 1]]
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D] Authenticated user 13920test against INTERNAL authentication source
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [sql] [D] Post-login processing for 13920test
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  begin transaction
2016-03-02T08:44:44 [sql] [D]   SQL (0.3ms)  UPDATE "users" SET "last_login_on" = ?, "updated_at" = ? WHERE "users"."id" = 58  [["last_login_on", "2016-03-02 08:44:44.488791"], ["updated_at", "2016-03-02 08:44:44.489481"]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]    (0.0ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User'  [["owner_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (14.4ms)  commit transaction
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   Role Exists (0.1ms)  SELECT  1 AS one FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User' AND "roles"."id" = 8 LIMIT 1  [["owner_id", 58]]
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2016-03-02T08:44:44 [sql] [D]   User Load (0.1ms)  SELECT  "users".* FROM "users"  WHERE ("users"."auth_source_id" NOT IN (7)) AND "users"."lower_login" = '13920test'  ORDER BY firstname LIMIT 1
2016-03-02T08:44:44 [app] [I] Authorized user 13920test(13920 test)
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]   Usergroup Load (0.1ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = ?  ORDER BY usergroups.name  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ?  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ?  ORDER BY filters.role_id, filters.id  [["role_id", 37]]
2016-03-02T08:44:44 [app] [W] DEPRECATION WARNING: Your API call uses deprecated behavior, The resources /config_templates were moved to /provisioning_templates. Please use the new path instead. (called from deprecated at /home/dcleal/code/foreman/foreman/app/controllers/api/v2/config_templates_controller.rb:122)
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
2016-03-02T08:44:44 [sql] [D]   Filter Load (0.2ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filters"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'ProvisioningTemplate') AND (permissions.name = 'view_config_templates')  ORDER BY filters.role_id, filters.id  [["user_id", 58]]
2016-03-02T08:44:44 [permissions] [D] 
2016-03-02T08:44:44 [permissions] [D] no filters found for given permission
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT COUNT(*) FROM "templates"  WHERE (1=0) AND "templates"."type" IN ('ProvisioningTemplate')
2016-03-02T08:44:44 [app] [I] ActiveRecord::RecordNotFound (ActiveRecord::RecordNotFound)
2016-03-02T08:44:44 [app] [I]   Rendered api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout (0.7ms)
2016-03-02T08:44:44 [app] [I] Completed 404 Not Found in 45ms (Views: 3.4ms | ActiveRecord: 16.4ms)
</pre>

The key part of the log is:

<pre>
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
</pre>

The controller_permission method in the config templates API controller which should force it to check provisioning_templates permissions isn't being taken into account.

It looks like the support for controller_permission from #9687 regressed in #8343.
Comment 1 Bryan Kearney 2016-04-11 15:47:01 UTC 
Created from redmine issue http://projects.theforeman.org/issues/14000
Comment 2 Bryan Kearney 2016-04-11 16:11:09 UTC 
Moving to POST since upstream bug http://projects.theforeman.org/issues/14000 has been closed
-------------
Dominic Cleal
Applied in changeset commit:f05b9307fe36d877364b0ee5bee7212c3315c97e.
Comment 4 jcallaha 2016-06-16 18:10:35 UTC 
Verified in Satellite 6.2 Beta Snap 15.2

Now a user without the proper permissions is given the following response.

{
  "error": {
    "message": "Access denied",
    "details": "Missing one of the required permissions: view_provisioning_templates"
  }
}
Comment 5 Bryan Kearney 2016-07-27 11:29:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501