Bug 1757394

Summary: [BUG] Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via Satellite 6 API
Product: Red Hat Satellite Reporter: Sayan Das <saydas>
Component: Users & RolesAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED ERRATA QA Contact: Radovan Drazny <rdrazny>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.6.0CC: apatel, egolov, lhellebr, mhulan
Target Milestone: 6.8.0Keywords: Triaged
Target Release: Unused   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: foreman-2.0.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 12:59:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sayan Das 2019-10-01 11:59:36 UTC 
Description of problem:

Non-Admin Users cannot access their own table_preferences via REST API, no matter what possible combination of roles has been assigned to them.

The same user will be able to access the table_preferences, when you mark the user as "ADMIN".

Version-Release number of selected component (if applicable):


How reproducible:
100 %

Steps to Reproduce:
1. Create a user "NA-USER" on Satellite GUI but don't mark it as Admin.

2. Try to access the API https://sat-fqdn/api/users/:id/table_preferences where the ":id" is the ID of "NA-USER" and authentication is being done by the same user.

3. Assign all the Roles to the user "NA-USER" but don't mark it as "Admin" and then try accessing the API again.


Actual results:
In both step 2 and 3, the REST api will return.
~~~~~~~~~~~~
{
    "error": {
        "message": "Access denied",
        "details": "Missing one of the required permissions: "
    }
}
~~~~~~~~~~~~


Expected results:
It should display the table_preferences without throwing any error.


Additional info:
If I mark the same user as Admin, it will be able to execute the API successfully and will be able to see the result as well.

I went through the discussion "https://community.theforeman.org/t/user-preferences/12007/4", but unable to get any pointers from the same which might help me to understand what might be the problem here.
Comment 4 Dominik Matoulek 2019-12-03 14:15:44 UTC 
Created redmine issue https://projects.theforeman.org/issues/28405 from this bug
Comment 5 Bryan Kearney 2020-01-17 17:02:20 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28405 has been resolved.
Comment 6 Radovan Drazny 2020-06-25 14:33:08 UTC 
Tested on Sat 6.8 Snap 5.

$ hammer user list --organization-id 1
---|-------|------------|------------------------------|-------|---------------------|--------------
ID | LOGIN | NAME       | EMAIL                        | ADMIN | LAST LOGIN          | AUTHORIZED BY
---|-------|------------|------------------------------|-------|---------------------|--------------
5  | raduz |            | raduz@localhost              | no    | 2020/06/25 14:22:56 | Internal     
4  | admin | Admin User | root.rdu2.redhat.com | yes   | 2020/06/25 14:26:25 | Internal     
---|-------|------------|------------------------------|-------|---------------------|--------------

-----
On a client

Accessing table_preferences for the correct user

$ curl -ku admin:changeme https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/4/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   151    0   151    0     0    162      0 --:--:-- --:--:-- --:--:--   162
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "search": null,
    "sort": {
        "by": null,
        "order": null
    },
    "results": [

    ]
}


Accessing table_preferences for an incorrect (different) user

$ curl -ku admin:changeme https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/5/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   140    0   140    0     0    159      0 --:--:-- --:--:-- --:--:--   158
{
    "error": {
        "message": "Access denied",
        "details": "You are trying access the preferences of a different user",
        "missing_permissions": null
    }
}


Accessing table_preferences for a correct user without the admin flag

$ curl -ku raduz:nimda https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/5/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   151    0   151    0     0    170      0 --:--:-- --:--:-- --:--:--   170
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "search": null,
    "sort": {
        "by": null,
        "order": null
    },
    "results": [

    ]
}
Comment 9 errata-xmlrpc 2020-10-27 12:59:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366