Bug 2027975

Description of problem:

The documentation [1] states that in order to use the API call /api/v2/hosts/bulk/installable_errata the role 'view_hosts' is required.

This API call returns a permission error.

After having enabled debug logs for permissions [2] on my test Satellite I can see the following:

$ cat /var/log/foreman/production.log

2021-12-01T08:43:35 [I|app|c961b70e] Started POST "/api/v2/hosts/bulk/installable_errata" for 127.0.0.1 at 2021-12-01 08:43:35 +0100
2021-12-01T08:43:35 [I|app|c961b70e] Processing by Katello::Api::V2::HostsBulkActionsController#installable_errata as */*
2021-12-01T08:43:35 [I|app|c961b70e]   Parameters: {"included"=>{"ids"=>[3]}, "organization_id"=>1, "api_version"=>"v2", "hosts_bulk_action"=>{"included"=>{"ids"=>[3]}, "organization_id"=>1}}
2021-12-01T08:43:36 [D|app|c961b70e] Authenticated user saime against INTERNAL authentication source
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|app|c961b70e] Authorized user saime(sebastien aime)
2021-12-01T08:43:36 [D|app|c961b70e] Post-login processing for saime
2021-12-01T08:43:36 [D|per|c961b70e] Current user set to foreman_admin (admin)
2021-12-01T08:43:36 [D|dyn|] Executor heartbeat
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [I|per|c961b70e] Current user set to saime (regular)
2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none
2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME
2021-12-01T08:43:36 [D|tax|c961b70e] Current location set to none
2021-12-01T08:43:36 [D|tax|c961b70e] Current organization set to ACME
2021-12-01T08:43:36 [D|per|c961b70e] checking permission edit_hosts for class Host::Managed
2021-12-01T08:43:36 [D|per|c961b70e] organization_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] location_ids: []
2021-12-01T08:43:36 [D|per|c961b70e] 
2021-12-01T08:43:36 [D|per|c961b70e] no filters found for given permission
2021-12-01T08:43:36 [E|app|c961b70e] *** ERROR: Action unauthorized to be performed on selected hosts. (403) ***
2021-12-01T08:43:36 [E|app|c961b70e] REQUEST URL: /api/v2/hosts/bulk/installable_errata
2021-12-01T08:43:36 [E|app|c961b70e] Katello::HttpErrors::Forbidden: Action unauthorized to be performed on selected hosts.

It seems that the system checks for the edit_hosts role, not the view_hosts one.

The same behaviour can be observed with the API call /api/v2/hosts/bulk/applicable_errata

--- references ---
[1] https://access.redhat.com/documentation/en-us/red_hat_satellite/6.9/html/api_guide/apipermsmatrix
[2] https://access.redhat.com/solutions/2252291

How reproducible:

I could reproduce it on a fully updated Satellite 6.9. The customer who has initially reported this issue has mentioned that this error has started to occur only after their Satellite has been upgraded to 6.9.

Steps to Reproduce:
1. Have a Satellite 6.9
2. Create a user with 'view_hosts' role
3. curl -k -u <USER>:<PASSWD> -X POST -d '{"included": {"ids": [3]}, "organization_id": 1}' -H 'Content-Type: application/json' https://<SAT_URL>/api/v2/hosts/bulk/installable_errata  | python -m json.tool

Change hosts and organization id according to your own environment.

Actual results:

{
    "displayMessage": "Action unauthorized to be performed on selected hosts.",
    "errors": [
        "Action unauthorized to be performed on selected hosts."
    ]
}

Expected results:

No error

Additional info:

While working with SBR it looked that the issue could also be reproduced with a 6.7 Satellite, but not 100%. The call worked for some hosts and it didn't for others.