Bug 1399725

Summary: Standard user is unable to access "Red Hat Subscriptions" page
Product: Red Hat Satellite Reporter: Harshad More <hmore>
Component: Subscription ManagementAssignee: David Davis <daviddavis>
Status: CLOSED ERRATA QA Contact: Bruno Rocha <rochacbruno>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.2.3CC: ahumbe, aperotti, bbuckingham, daviddavis, dhlavacd, dlezzoum, jcallaha, mmccune, rochacbruno, tomckay, walden
Target Milestone: UnspecifiedKeywords: PrioBumpField, Triaged
Target Release: Unused   
Hardware: x86_64   
OS: Linux   
URL: http://projects.theforeman.org/issues/17757
Whiteboard:
Fixed In Version: rubygem-katello-3.0.0.134-1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1446724 (view as bug list) Environment:
Last Closed: 2017-06-20 17:21:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1399395    
Attachments:
Description Flags
Screenshot of error on WebUI
none
verification:ok none

Description Harshad More 2016-11-29 15:42:47 UTC 
Created attachment 1225904 [details]
Screenshot of error on WebUI

Description of problem:
Standard user is unable to access  Content --> "Red Hat Subscriptions" page even after assigning Viewer role.

Version-Release number of selected component (if applicable):
6.2.1, 6.2.3, 6.2.4 (6.2.x)

How reproducible:
Always

Steps to Reproduce:
1.Create a test user. Fill all details (password, assign organisation on default login, etc)
2. From Roles select Viewer and submit
3.Login with that user and access the "Red Hat Subscriptions" page

Actual results:
Will get error on screen -- "We're sorry, but something went wrong."

Expected results:

User should be able to see subscription page

Additional info:

PFA : screenshot of the error on webUI

And below is the log output of foreman-tail:

==> /var/log/foreman/production.log <==
2016-11-30 02:31:07 [app] [I] Processing by Katello::ApplicationController#permission_denied as HTML
2016-11-30 02:31:12 [app] [I]   Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/views/katello/api/v2/subscriptions/manifest_history.json.rabl within katello/api/v2/layouts/collection (9.9ms)
2016-11-30 02:31:12 [app] [I] Completed 200 OK in 5244ms (Views: 89.9ms | ActiveRecord: 25.8ms)

==> /var/log/httpd/foreman-ssl_access_ssl.log <==
10.76.1.98 - - [30/Nov/2016:02:31:06 +0530] "GET /katello/api/v2/organizations/1/subscriptions/manifest_history? HTTP/1.1" 200 147 "https://10.65.10.138/subscriptions/manifest/import" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36"

==> /var/log/foreman/production.log <==
2016-11-30 02:31:13 [app] [I] Completed 500 Internal Server Error in 6028ms
2016-11-30 02:31:14 [app] [F] 
 | ActionView::MissingTemplate (Missing template katello/common/403 with {:locale=>[:en], :formats=>[:html], :variants=>[], :handlers=>[:erb, :builder, :raw, :ruby, :rabl]}. Searched in:
 |   * "/usr/share/foreman/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_openscap-0.5.3.18/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_theme_satellite-0.1.31/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_remote_execution-0.3.0.12/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/redhat_access-1.0.13/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.81/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/bastion-3.2.0.10/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman-tasks-0.7.14.9/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-5.0.0.9/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_docker-2.0.1.11/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_bootdisk-6.1.0.3/app/views"
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.3.6/app/views"
 | ):
 |   katello (3.0.0.81) app/controllers/katello/application_controller.rb:290:in `block (2 levels) in render_403'
 |   katello (3.0.0.81) app/controllers/katello/application_controller.rb:289:in `render_403'
 |   app/controllers/application_controller.rb:61:in `deny_access'
 |   app/controllers/application_controller.rb:53:in `authorize'
 |   lib/middleware/catch_json_parse_errors.rb:9:in `call'
Comment 1 Walden Raines 2016-12-19 19:24:29 UTC 
Created redmine issue http://projects.theforeman.org/issues/17757 from this bug
Comment 3 David Davis 2017-03-07 18:23:13 UTC 
I was not able to reproduce this error on 6.2.8 using the reproduce steps. Using the steps listed, I could view the subscriptions page fine with the test user. However, when I attempted to visit the subscriptions page with a user that did not have subs view permission, I encountered the error. It looks like there is an open issue around rendering the 403 page:

http://projects.theforeman.org/issues/15943
Comment 5 David Davis 2017-03-08 14:30:36 UTC 
I was able to reproduce this finally. It's a bit different BZ #1333219. The key is you must NOT have a manifest imported. The error occurs because the readonly user is redirected to edit manifests if there are no subscriptions: 

https://github.com/Katello/katello/blob/241d6aacf3df7564d0676d774afe1fe077c2b772/engines/bastion_katello/app/assets/javascripts/bastion_katello/subscriptions/subscriptions.controller.js#L67-L69

And of course they don't have edit permissions so you hit a 403. What we probably want to do is to only transition to manifest import if the user has the 'import_manifest' permission.
Comment 6 Satellite Program 2017-03-08 15:15:47 UTC 
Upstream bug assigned to daviddavis
Comment 7 Satellite Program 2017-03-08 15:15:51 UTC 
Upstream bug assigned to daviddavis
Comment 8 Satellite Program 2017-03-09 13:16:11 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue http://projects.theforeman.org/issues/17757 has been resolved.
Comment 9 David Davis 2017-03-09 14:03:25 UTC 
Upstream PR:

https://github.com/Katello/katello/pull/6658

Very small fix. Minimal impact. I recommend we get this into next 6.2 z-stream.
Comment 10 Ashish Humbe 2017-03-10 07:08:24 UTC 
Thank you David !
Comment 11 David Davis 2017-04-03 11:57:57 UTC 
QE: Note comment #5. To recap, steps to reproduce:

0. On a system or in a org with NO MANIFEST
1. Create a user with view only role
2. Login as the user and go to the subscriptions page

Actual results:

Will get error on screen -- "We're sorry, but something went wrong."

Expected results:

User should be able to see subscription page
Comment 12 Bruno Rocha 2017-05-31 09:53:21 UTC 
Created attachment 1283680 [details]
verification:ok

Verified in satellite-6.2.10-2.0.el7sat.noarch

Working fine for standard non-admin user with only the Viewer role.
Comment 14 errata-xmlrpc 2017-06-20 17:21:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:1553