Bug 1392602

Summary:	API Using incorrect arbitration_profiles query/read roles
Product:	Red Hat CloudForms Management Engine	Reporter:	abellott
Component:	API	Assignee:	abellott
Status:	CLOSED CURRENTRELEASE	QA Contact:	Martin Kourim <mkourim>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	5.7.0	CC:	cpelland, dajohnso, jhardy, obarenbo, slukasik
Target Milestone:	GA	Keywords:	TestOnly
Target Release:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	rest:designer
Fixed In Version:	5.8.0.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1394333 (view as bug list)		Environment:
Last Closed:	2017-06-12 16:22:58 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	1394333

Description abellott 2016-11-07 21:32:31 UTC

Description of problem:

API is using incorrect arbitration_profiles query/read roles in the
api.yml. 
 
Version-Release number of selected component (if applicable):

5.7

How reproducible:

Always

Steps to Reproduce:
1.Setup Appliance
2.Setup a user role with
   Compute->Clouds->Cloud Providers->View->Arbitration Profiles Show CHECKED
   Compute->Clouds->Cloud Providers->View->Arbitration Profiles List UNCHECKED


GET /api/arbitration_profiles

Actual results:

Successful list of arbitration_profiles returned.

Expected results:

403/Forbidden

Additional info:

Comment 2 CFME Bot 2016-11-07 21:36:46 UTC

https://github.com/ManageIQ/manageiq/pull/12455

Comment 3 CFME Bot 2016-11-10 15:26:22 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/4d19ad887daddafb655b914834d06ff3369d9141

commit 4d19ad887daddafb655b914834d06ff3369d9141
Author:     Alberto Bellotti <abellott>
AuthorDate: Fri Nov 4 17:54:50 2016 -0400
Commit:     Alberto Bellotti <abellott>
CommitDate: Tue Nov 8 11:12:01 2016 -0500

    Corrected arbitration_profiles query/read roles
    
    - list/queries were referencing the invididual show role instead of the show_list
    - missing resource read show role
    - added rspecs
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392602

 config/api.yml                                |  7 +++++--
 spec/requests/api/arbitration_profile_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

Comment 4 CFME Bot 2016-11-10 20:46:00 UTC

New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/0bdeb5e60ade69e027455bd9da19a03682214c07

commit 0bdeb5e60ade69e027455bd9da19a03682214c07
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Thu Nov 10 10:22:39 2016 -0500
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Thu Nov 10 15:36:38 2016 -0500

    Merge pull request #12455 from abellotti/api_arbitration_profiles_read_roles
    
    Corrected arbitration_profiles query/read roles
    (cherry picked from commit a13e6e1d0032502d65971d65001c5d6d1f32a26a)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392602

 config/api.yml                                |  7 +++++--
 spec/requests/api/arbitration_profile_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)

Comment 6 Martin Kourim 2017-02-28 19:38:28 UTC

Verified by following "Steps to Reproduce". Result:
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "Api::ForbiddenError"
  }
}