Bug 1392612

Summary:	API allows fetching virtual_templates without appropriate role
Product:	Red Hat CloudForms Management Engine	Reporter:	abellott
Component:	API	Assignee:	abellott
Status:	CLOSED CURRENTRELEASE	QA Contact:	Martin Kourim <mkourim>
Severity:	high	Docs Contact:
Priority:	high
Version:	5.7.0	CC:	cpelland, dajohnso, jhardy, obarenbo, slukasik
Target Milestone:	GA	Keywords:	TestOnly
Target Release:	5.8.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	rest:template:security
Fixed In Version:	5.8.0.0	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1394335 (view as bug list)		Environment:
Last Closed:	2017-06-12 16:24:25 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Bug Depends On:
Bug Blocks:	1394335

Description abellott 2016-11-07 21:45:40 UTC

Description of problem:

API is missing the role identifying for reading virtual_templates resources. 
this means that a user with a role without the Show Virtual Templates access can still fetch an individual virtual template.

Version-Release number of selected component (if applicable):

5.7

How reproducible:

Always

Steps to Reproduce:
1.Setup user with Role with
   Access Rules for all Virtual Machines -> Template Access Rules -> Virtual Templates -> Show Virtual Templates  UNCHECKED
2. GET /api/virtual_templates/:id

Actual results:

Successful return of the resource

Expected results:

403/Forbidden

Additional info:

Comment 2 CFME Bot 2016-11-07 21:51:27 UTC

https://github.com/ManageIQ/manageiq/pull/12452

Comment 3 CFME Bot 2016-11-10 15:26:27 UTC

New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/6e3b51a3fad3c390c87d5e15c0baabbfb233d00e

commit 6e3b51a3fad3c390c87d5e15c0baabbfb233d00e
Author:     Alberto Bellotti <abellott>
AuthorDate: Fri Nov 4 17:07:50 2016 -0400
Commit:     Alberto Bellotti <abellott>
CommitDate: Tue Nov 8 10:13:39 2016 -0500

    Was missing a role identifier for reading virtual_templates resources.
    
    - Added the virtual_template_show role identifier for reading
    /api/virtual_templates/:id resources
    - Added specs
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392612

 config/api.yml                              |  4 ++++
 spec/requests/api/virtual_templates_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

Comment 4 CFME Bot 2016-11-10 20:46:05 UTC

New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/b5eb7caa29c3659a6888de36946c4b01a77adb73

commit b5eb7caa29c3659a6888de36946c4b01a77adb73
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Thu Nov 10 10:21:57 2016 -0500
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Thu Nov 10 15:39:00 2016 -0500

    Merge pull request #12452 from abellotti/api_virtual_template_resource_read_role
    
    Was missing a role identifier for reading virtual_templates resources.
    (cherry picked from commit 1a0ec9c8cb4304fe89e5c6daef39a632e14699a8)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392612

 config/api.yml                              |  4 ++++
 spec/requests/api/virtual_templates_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)

Comment 6 Martin Kourim 2017-02-28 19:06:28 UTC

Verified by following "Steps to Reproduce". Result:
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "Api::ForbiddenError"
  }
}