Bug 1376753

Summary: forbidden to read policies and policy_profiles using REST API
Product: Red Hat CloudForms Management Engine Reporter: Martin Kourim <mkourim>
Component: APIAssignee: Šimon Lukašík <slukasik>
Status: CLOSED ERRATA QA Contact: Martin Kourim <mkourim>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.7.0CC: jhardy, obarenbo, simaishi, slukasik
Target Milestone: GA   
Target Release: 5.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: api:rest
Fixed In Version: 5.7.0.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-04 13:00:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Martin Kourim 2016-09-16 10:24:55 UTC 
Description of problem:

Trying to GET /api/policies or /api/policy_profiles results in

{"error":{"kind":"forbidden","message":"Use of the read action is forbidden","klass":"Api::BaseController::Forbidden"}}


Version-Release number of selected component (if applicable):
5.7.0.0


How reproducible:
always
Comment 2 CFME Bot 2016-09-19 14:16:41 UTC 
https://github.com/ManageIQ/manageiq/pull/11364
Comment 3 CFME Bot 2016-09-20 23:05:59 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/72a4e6bd803e946765d3769073141c39c689679d

commit 72a4e6bd803e946765d3769073141c39c689679d
Author:     Šimon Lukašík <isimluk>
AuthorDate: Mon Sep 19 11:57:38 2016 +0200
Commit:     Šimon Lukašík <isimluk>
CommitDate: Mon Sep 19 13:43:52 2016 +0200

    API: Fix permissions on /api/policy_profiles
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1376753
    
    The profile_show_list did not exists, as result the /api/profiles
    entrypoint was returning Forbidden.

 config/api.yml                       | 6 +++---
 db/fixtures/miq_product_features.yml | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)
Comment 4 CFME Bot 2016-09-20 23:06:03 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/af66451b150b62617076c9e3bcd20d9ceb0702ec

commit af66451b150b62617076c9e3bcd20d9ceb0702ec
Author:     Šimon Lukašík <isimluk>
AuthorDate: Mon Sep 19 11:36:38 2016 +0200
Commit:     Šimon Lukašík <isimluk>
CommitDate: Mon Sep 19 11:42:19 2016 +0200

    API: Fix permissions on /api/policies
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1376753
    
    The policy_show_list and policy_show did not exists, as a result anyone
    trying to use this entrypoint discovered Forbidden exception.
    
    The policy_view feature seems to be just enough, I can see no need for
    fine grained _show and _show_list.
    
    Note that tests were passing just ok on /api/policies, that is because
    we explicitly call 'api_basic_authorize :policy_show_list'. We need
    another test to ensure that identifiers are valid.

 config/api.yml                       | 6 +++---
 db/fixtures/miq_product_features.yml | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)
Comment 5 Martin Kourim 2016-10-06 12:34:37 UTC 
Verified that it's possible to GET /api/policies and /api/policy_profiles
Comment 7 errata-xmlrpc 2017-01-04 13:00:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0012.html