Bug 2224113
Summary: | ACS bulk refresh through API silently sanitizes input ids | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Quinn James <qjames> |
Component: | Alternate Content Sources | Assignee: | Samir Jha <sajha> |
Status: | CLOSED ERRATA | QA Contact: | Vladimír Sedmík <vsedmik> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.13.0 | CC: | iballou, pcreech, rlavi, sajha, vsedmik |
Target Milestone: | 6.14.0 | Keywords: | Triaged |
Target Release: | Unused | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | rubygem-katello-4.9.0.11-1 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-11-08 14:19:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Quinn James
2023-07-19 19:48:19 UTC
I just confirmed this behavior also occurs for bulk delete of alternate content sources. Created redmine issue https://projects.theforeman.org/issues/36634 from this bug Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/36634 has been resolved. Verified in 6.14.0 snap 11 1) Invalid ids are caught on bulk actions and proper error message is displayed: [root@sat ~]# curl -X POST -su admin:nene -H "Content-type: application/json" https://$(hostname)/katello/api/alternate_content_sources/bulk/refresh --data '{"ids": [1,2,3]}' | jq { "displayMessage": "Could not find alternate content sources with id: [\"3\"] . You either do not have required permissions, or these alternate content sources do not exist.", "errors": [ "Could not find alternate content sources with id: [\"3\"] . You either do not have required permissions, or these alternate content sources do not exist." ] } [root@sat ~]# curl -X PUT -su admin:nene -H "Content-type: application/json" https://$(hostname)/katello/api/alternate_content_sources/bulk/destroy --data '{"ids": [1,2,3]}' | jq { "displayMessage": "Could not find alternate content sources with id: [\"3\"] . You either do not have required permissions, or these alternate content sources do not exist.", "errors": [ "Could not find alternate content sources with id: [\"3\"] . You either do not have required permissions, or these alternate content sources do not exist." ] } 2) Valid ids are accepted and actions run: [root@sat ~]# curl -X POST -su admin:nene -H "Content-type: application/json" https://$(hostname)/katello/api/alternate_content_sources/bulk/refresh --data '{"ids": [1,2]}' | jq { "id": "37491c3a-940b-40fa-8f14-585128b92086", "label": "Actions::BulkAction", "pending": true, "action": "Bulk action", ... } [root@sat ~]# curl -X PUT -su admin:nene -H "Content-type: application/json" https://$(hostname)/katello/api/alternate_content_sources/bulk/destroy --data '{"ids": [1,2]}' | jq { "id": "eda91f3e-62ef-4ada-b65c-0620ab02fc3e", "label": "Actions::BulkAction", "pending": true, "action": "Bulk action", ... } Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: Satellite 6.14 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:6818 |