Bug 1594757

Summary: [RFE] non-admin user can't see requests under /api/requests
Product: Red Hat CloudForms Management Engine Reporter: Niladri Roy <niroy>
Component: APIAssignee: Keenan Brock <kbrock>
Status: CLOSED ERRATA QA Contact: Antonin Pagac <apagac>
Severity: high Docs Contact:
Priority: high    
Version: 5.9.0CC: apagac, cpelland, gtanzill, jprause, kbrock, mzazrivec, obarenbo, simaishi
Target Milestone: GAKeywords: FutureFeature
Target Release: 5.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.10.0.4 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-07 23:03:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Niladri Roy 2018-06-25 11:00:00 UTC 
Description of problem:
Seems to be impossible to get requests list from api as a non-admin user, only admin can get requests from api.

Version-Release number of selected component (if applicable):
5.9.2.4

How reproducible:


Steps to Reproduce:
1. See list of request in Web portal by going to Service>Requests as non-admin user
2. make an API query to /api/requests as the same user
3.

Actual results:
count: shows non zero value
subcount: 0

Expected results:
Using web portal, request can be seen under Services>Requests, it should also show requests at /api/requests for the same user

Additional info:
User is in custom group with custom role having full access and no filter.
Comment 8 Keenan Brock 2018-06-27 16:25:57 UTC 
I added a product feature 'miq_request_superadmin' for viewing/creating requests in https://bugzilla.redhat.com/show_bug.cgi?id=1090627

before: only users in the default admin group (not a copy) could view requests.
after: a copy of the admin group or other groups with the feature can now view requests

There were a number of BZs that seemed to want the same type of solution. I tried to build that solution to solve the general solution.

Please let me know if it conflicts with your needs here.
Comment 9 Milan Zázrivec 2018-06-27 17:05:43 UTC 
Kennan, please correct me if I'm wrong, but as far as I can tell, to have this
fixed in current 5.9, we'd have to backport all of the PRs (Core + UI + API) from
https://bugzilla.redhat.com/show_bug.cgi?id=1090627 over to 5.9.

Seeing https://bugzilla.redhat.com/show_bug.cgi?id=1090627 is actually an RFE
and would require non-trivial amount of work to be done (including rigorous
testing), this needs to be re-evaluated whether or not this is a 5.9 material.
Comment 14 Keenan Brock 2018-09-04 14:35:41 UTC 
Milan,

Think this can be closed - it should be in master.

--K
Comment 15 Milan Zázrivec 2018-09-04 14:42:45 UTC 
The work here has already been done by Keenan (it's all in current master),
I'm moving this over to POST so that it can be properly verified.
Comment 16 Antonin Pagac 2019-01-21 16:54:49 UTC 
Appliance version: 5.10.0.32

Non-admin user can now see his requests if he has Services -> Requests -> View permission.
UI is consistent with api.
Comment 17 errata-xmlrpc 2019-02-07 23:03:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212