Bug 1639387

Summary: User with View My Tasks permission can see other users tasks via API
Product: Red Hat CloudForms Management Engine Reporter: Antonin Pagac <apagac>
Component: APIAssignee: Joe Vlcek <jvlcek>
Status: CLOSED ERRATA QA Contact: Sudhir Mallamprabhakara <smallamp>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.9.5CC: dmetzger, mfeifer, mshriver, obarenbo, simaishi
Target Milestone: GAKeywords: Reopened
Target Release: 5.11.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 5.11.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-12 13:34:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: CFME Core Target Upstream Version:
Embargoed:

Description Antonin Pagac 2018-10-15 15:29:47 UTC 
Description of problem:
User with product feature Settings -> Tasks -> View -> My Tasks can view only his tasks via UI, but can see other users tasks via API.

Version-Release number of selected component (if applicable):
5.9.5.1
5.10.0.19

How reproducible:
Always

Steps to Reproduce:
1. Create a user with Settings -> Tasks -> View -> My Tasks (but not All Tasks), for example EvmRole-support
2. Navigate to Tasks via UI, verify you can see only "My Tasks"
3. Query API with the user

Actual results:
User can see all tasks, not created by him only

Expected results:
User should see only his tasks

Additional info:
API query example:
curl -k "https://<username>:<password>@<IP>/api/tasks/"
Comment 2 CFME Bot 2018-12-13 21:39:00 UTC 
https://github.com/ManageIQ/manageiq-api/pull/526
Comment 3 CFME Bot 2018-12-20 19:05:37 UTC 
https://github.com/ManageIQ/manageiq/pull/18311
Comment 4 CFME Bot 2018-12-21 16:30:51 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/485a2df11367f58dacd3e641ee8deb7ffdb53d57
commit 485a2df11367f58dacd3e641ee8deb7ffdb53d57
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Dec 20 13:53:34 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Dec 20 13:53:34 2018 -0500

    Ensure a users own tasks are the only ones returned when the users role has View/My Tasks

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387

 app/models/miq_product_feature.rb | 6 +-
 app/models/miq_user_role.rb | 4 +
 app/models/user.rb | 2 +-
 spec/models/miq_user_role_spec.rb | 16 +
 4 files changed, 25 insertions(+), 3 deletions(-)
Comment 5 CFME Bot 2018-12-21 22:37:34 UTC 
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/905f429b0cf01325031090812b2dd7992f42667b
commit 905f429b0cf01325031090812b2dd7992f42667b
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Dec 13 16:08:49 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Dec 13 16:08:49 2018 -0500

    Ensure a users own tasks are the only ones returned when the users role has View/My Tasks

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387

 app/controllers/api/base_controller/renderer.rb | 12 +-
 app/controllers/api/tasks_controller.rb | 11 +
 spec/requests/tasks_spec.rb | 42 +-
 3 files changed, 55 insertions(+), 10 deletions(-)
Comment 6 Antonin Pagac 2019-04-29 11:49:35 UTC 
Verified with 5.11.0.1.
Comment 10 errata-xmlrpc 2019-12-12 13:34:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4199