Bug 1733505

Summary: Non admin user can not query API /katello/api/capsules/:id
Product: Red Hat Satellite Reporter: roarora
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Radovan Drazny <rdrazny>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: b.prins, jhanley, mhulan, rcavalca
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-09 17:02:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description roarora 2019-07-26 10:02:34 UTC 
Description of problem:

If a non admin user calls a GET API on satellite.example.com/katello/api/capsules/1, it fails with response : 
"message": "Resource smart_proxy not found by id '1'"

Non admin user has "view_smart_proxies" permissions assigned. Even if all available persmissions are assigned to the user, the error response is same.

User is able to query information for all capsules i.e GET on /katello/api/capsules/ but not for a particular ID /katello/api/capsules/:id

The API /katello/api/capsules/:id is called  by bootstrap.py script with --new-capsule switch so bootstrap.py cannot be run with non admin user.

Version-Release number of selected component (if applicable):
6.4
6.5

How reproducible:
Always

Steps to Reproduce:
1. Create a user role and assign all available permissions to it. Create a user and assign the role to the user. User should be non admin 
2. Run following api with above user and it fails
# curl -u user:password https://satellite.example.com/katello/api/capsules/1

Actual results:
APi fails with response "message": "Resource smart_proxy not found by id '1'"

Expected results:
Non admin user should be able to call that API with appropriate permissions assigned
Comment 4 Marek Hulan 2019-11-21 11:13:02 UTC 
Is the user assigned to the same organization and location as the capsule? Does the user have permission to view_organizations and view_locations (potentially limited to only these)?
Comment 5 Jessica Hanley 2019-12-12 20:08:37 UTC 
Marek: Yes, the user was already assigned to the same organization and location as the capsule, and the user's role already had the view_organizations and view_locations permissions.
Comment 6 Shira Maximov 2020-07-13 13:50:36 UTC 
Created redmine issue https://projects.theforeman.org/issues/30385 from this bug
Comment 7 Mike McCune 2021-03-16 15:58:36 UTC 
Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in a month. If you have any concerns about this, please contact your Red Hat Account team.  Thank you.
Comment 9 Mike McCune 2021-07-09 17:02:24 UTC 
Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this feel free to contact your Red Hat Account Team. Thank you.