Bug 1733505

Summary: Non admin user can not query API /katello/api/capsules/:id
Product: Red Hat Satellite 6 Reporter: roarora
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: NEW --- QA Contact: Radovan Drazny <rdrazny>
Severity: low Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: b.prins, jhanley, mhulan, rcavalca
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description roarora 2019-07-26 10:02:34 UTC
Description of problem:

If a non admin user calls a GET API on satellite.example.com/katello/api/capsules/1, it fails with response : 
"message": "Resource smart_proxy not found by id '1'"

Non admin user has "view_smart_proxies" permissions assigned. Even if all available persmissions are assigned to the user, the error response is same.

User is able to query information for all capsules i.e GET on /katello/api/capsules/ but not for a particular ID /katello/api/capsules/:id

The API /katello/api/capsules/:id is called  by bootstrap.py script with --new-capsule switch so bootstrap.py cannot be run with non admin user.

Version-Release number of selected component (if applicable):
6.4
6.5

How reproducible:
Always

Steps to Reproduce:
1. Create a user role and assign all available permissions to it. Create a user and assign the role to the user. User should be non admin 
2. Run following api with above user and it fails
# curl -u user:password https://satellite.example.com/katello/api/capsules/1

Actual results:
APi fails with response "message": "Resource smart_proxy not found by id '1'"

Expected results:
Non admin user should be able to call that API with appropriate permissions assigned

Comment 4 Marek Hulan 2019-11-21 11:13:02 UTC
Is the user assigned to the same organization and location as the capsule? Does the user have permission to view_organizations and view_locations (potentially limited to only these)?

Comment 5 Jessica Richards 2019-12-12 20:08:37 UTC
Marek: Yes, the user was already assigned to the same organization and location as the capsule, and the user's role already had the view_organizations and view_locations permissions.