Bug 1340311

Summary: Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions
Product: Red Hat CloudForms Management Engine Reporter: Shane Boulden <sboulden>
Component: APIAssignee: Tim Wade <twade>
Status: CLOSED DUPLICATE QA Contact: Taras Lehinevych <tlehinev>
Severity: high Docs Contact:
Priority: high    
Version: 5.5.0CC: cpelland, dajohnso, jhardy, obarenbo
Target Milestone: GAKeywords: ZStream
Target Release: 5.7.0   
Hardware: x86_64   
OS: Linux   
Whiteboard: rbac:rest
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1343516 (view as bug list) Environment:
Last Closed: 2016-07-25 15:44:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1343516    
Attachments:
Description Flags
Screenshot of approve/deny-only Cloudforms role none

Description Shane Boulden 2016-05-27 01:37:21 UTC 
Created attachment 1162324 [details]
Screenshot of approve/deny-only Cloudforms role

Description of problem:
Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Version-Release number of selected component (if applicable):
CFME 5.5.3.4.20160407153134_b3e2a83 

How reproducible:
1. Create a Role in Cloudforms that is only permitted to approve/ deny service requests, but not list them (per attached screenshot).
 
2. Create a group and assign the role created in (1).

3. Create a user and assign to the group created in (2).

4. Navigate to the end-point of a known request, eg; https://cloudforms/api/requests/65000000000146

5. When prompted, enter the credentials for the user created in (3).

Actual results:
Cloudforms allows the user to view the request, even though they lack the permissions to "list/show" requests.

Expected results:
Cloudforms denies the user access to the REST API endpoint for the request
Comment 3 Tim Wade 2016-07-20 14:19:46 UTC 
Shane: This should have been fixed upstream in https://github.com/ManageIQ/manageiq/pull/8554 - can you confirm?
Comment 4 Shane Boulden 2016-07-21 22:39:23 UTC 
Hi Tim, I've just tested on darga-2.20160711210308_ce72215 and it works great!

Thanks very much for tracking this down.
Comment 5 Tim Wade 2016-07-25 15:44:39 UTC 
Hi Shane, Thanks for testing this out!

I will close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1297974

*** This bug has been marked as a duplicate of bug 1297974 ***