Bug 1343516

Summary: Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions
Product: Red Hat CloudForms Management Engine Reporter: John Prause <jprause>
Component: APIAssignee: Tim Wade <twade>
Status: CLOSED CURRENTRELEASE QA Contact: Martin Kourim <mkourim>
Severity: high Docs Contact:
Priority: high    
Version: 5.5.0CC: cpelland, jhardy, obarenbo, simaishi
Target Milestone: GAKeywords: ZStream
Target Release: 5.6.1   
Hardware: x86_64   
OS: Linux   
Whiteboard: rbac:rest
Fixed In Version: 5.6.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1340311 Environment:
Last Closed: 2016-11-18 15:14:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:
Bug Depends On: 1297974, 1340311    
Bug Blocks:    

Comment 2 Satoe Imaishi 2016-11-04 20:41:32 UTC
This was fixed in 5.6.1. Please move to CLOSED CURRENTRELEASE if verification passes.

Comment 3 Martin Kourim 2016-11-15 13:30:15 UTC
Verified using steps in bug description. Resulted in
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "ApiController::Forbidden"
  }
}