Bug 1391810

Summary: User can't create repository in custom product
Product: Red Hat Satellite Reporter: Neil Miao <nmiao>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED DUPLICATE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.2.2CC: bbuckingham, dhlavacd, mhulan, vvasilev
Target Milestone: Unspecified   
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-07 17:45:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Neil Miao 2016-11-04 05:30:47 UTC 
Description of problem:

Non-admin user, with full permissions granted, cannot create any repository in a custom product.

A red notification box 'You are not authorized to perform this action.' shows up when the user click the 'create repository' button in the product page (https://satellite6.corp.redhat.com/products/xxx/repositories)

Firebug picked up 2 403s API calls initiated by JS

GET https://satellite6.corp.redhat.com/api/v2/settings?search=name+%3D+default_download_policy 403 (Forbidden)

GET https://satellite6.corp.redhat.com/katello/api/v2/repositories/repository_types?creatable=true&organization_id=6 403 (Forbidden)


Version-Release number of selected component (if applicable):
foreman-1.11.0.54-1.el7sat.noarch
tfm-rubygem-katello-3.0.0.80-1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. assuming the satellite already has a org and a few locations, sub manifest is imported
2. create a role 'test' with the following permissions:
- all permissions under organization
- all permissions under content views
- all permissions under LC environments
- all permissions under Product and Repositories

3. create a user 'jdoe', attach only the 'test' role
4. login as jdoe
5. create a custom product 'test'
6. click the 'new repository' button within product 'test'

Actual results:
- no 'You are not authorized to perform this action.' pops up
- 'type' dropdown is populated
- default download policy is selected in 'download policy' dropdown


Expected results:
- 'type' dropdown is empty
- nothing is selected in the 'download policy' dropdown (this is only visible after the first repository type bug is fixed, because the 'download policy' dropdown box is hidden when nothing is selected in the 'type' dropdown box



Additional info:
Comment 1 Neil Miao 2016-11-04 05:35:15 UTC 
The first repository type bug is fixed with the following patch:


(/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.80/lib/katello/permissions/product_permissions.rb)

# diff -u product_permissions.rb.orig product_permissions.rb
--- product_permissions.rb.orig	2016-11-04 05:33:06.565873001 +0000
+++ product_permissions.rb	2016-11-04 05:33:39.933873975 +0000
@@ -5,7 +5,7 @@
              {
                'katello/products' => [:auto_complete, :auto_complete_search],
                'katello/api/v2/products' => [:index, :show],
-               'katello/api/v2/repositories' => [:index, :show],
+               'katello/api/v2/repositories' => [:index, :show, :repository_types],
                'katello/api/v2/packages' => [:index, :show],
                'katello/api/v2/distributions' => [:index, :show],
                'katello/api/v2/package_groups' => [:index, :show],


As such, whoever has the :view_products permission will be able to view the repository types.
Comment 2 Neil Miao 2016-11-04 05:40:24 UTC 
The settings one is a bit tricky.

The access is blocked at 2 places:

1. the permission set is missing :"api/v2/settings" => [:index]"

(/usr/share/foreman/app/services/foreman/access_permissions.rb)

  permission_set.security_block :settings_menu do |map|
    map.permission :access_settings,  {:home => [:settings]}
  end


2. only admin can read the settings

(/usr/share/foreman/app/controllers/api/v2/settings_controller.rb)

module Api
  module V2
    class SettingsController < V2::BaseController
      before_filter :require_admin


Someone need to come up something else to allow non-admin to read at least the default_download_policy
Comment 3 Brad Buckingham 2016-11-07 17:45:02 UTC 
Hi Neil,

Thank you for opening the bugzilla.  This one appears to be a duplicate of bug 1374505; therefore, I am going to close it as a duplicate.  If that bug does not solve the issue for your case, please do let us know.

*** This bug has been marked as a duplicate of bug 1374505 ***