Bug 788008

Summary: SecurityViolation error while accessing system Errata/status
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: WebUIAssignee: Tom McKay <tomckay>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.0CC: bkearney, cwelton, jturner, mmccune, tomckay
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:25:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
Clicking on drop down list box raised security voilation error
none
Complete error log from production.log none

Description Sachin Ghai 2012-02-07 08:24:57 UTC 
Description of problem:

While selecting the dropdown listing of errata display under system tab, i got following error in production.log
----
Started GET "/katello/systems/1/errata/status?_=1328599005455" for 10.65.193.48 at Tue Feb 07 07:21:22 -0500 2012
  Processing by SystemErrataController#status as JSON
  Parameters: {"system_id"=>"1", "_"=>"1328599005455"}
User reader is not allowed to access system_errata/status
User reader is not allowed to access system_errata/status
#<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
----

Version-Release number of selected component (if applicable):
katello-0.1.211-2.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. Register a system using admin user
2. Create a read only user 'reader' with 'Read Everything' role
3. login with reader
4. Under systems tab ==> select system ==> on right pane, select 'Errata'
5. Click on drop down list box
  
Actual results:
#<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>

Expected results:
No backtrace should be there in production.log instead of this UI should raise a
permission denied message if read only user is not allowed access system errata.


Additional info:
Comment 1 Sachin Ghai 2012-02-07 08:27:20 UTC 
Created attachment 559868 [details]
Clicking on drop down list box raised security voilation error
Comment 2 Sachin Ghai 2012-02-07 08:28:11 UTC 
Created attachment 559869 [details]
Complete error log from production.log
Comment 4 Tom McKay 2012-03-01 21:24:56 UTC 
Tested and unable to reproduce.

Please re-test in version being built today.
Comment 5 Sachin Ghai 2012-03-06 06:34:26 UTC 
It is still reproducible.

---
[ERROR: 2012-03-06 11:55:15 #27366] User reader is not allowed to access system_errata/status
[ERROR: 2012-03-06 11:55:15 #27366] User reader is not allowed to access system_errata/status
[ERROR: 2012-03-06 11:55:15 #27366] #<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>
[ERROR: 2012-03-06 11:55:15 #27366] /usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__625565855__process_action__1696389161__callbacks'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2775'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/share/katello/lib/util/threadsession.rb:79:in `thread_locals'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_2775'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:451:in `_run__625565855__process_action__1696389161__callbacks'
[
---

I tested this today with following builds:

[root@perceptor ~]# rpm -qa | grep -ie pulp-1 -ie katello-0
pulp-1.0.0-2.el6.noarch
katello-0.2.5-1.el6.noarch


Steps to reproduce.

1. Login with admin user
2. Register a system using rhsm
3. Create a read only user reader and assign 'Read Everything' role
4. Login with 'reader'
5. Go to systems tab ==> select the system ==> errata
6. check production.log
Comment 6 Tom McKay 2012-03-06 14:33:27 UTC 
Confirmed. I missed the message in the log since the UI behaves normally.
Comment 7 Tom McKay 2012-03-06 15:35:24 UTC 
commit 570877cfd57721f946d0504bd1c6aa57d2ab47d5
Author: Tom McKay <thomasmckay>
Date:   Tue Mar 6 10:34:21 2012 -0500

    788008 - do not attempt to poll errata status when user does not have edit permission
Comment 10 Corey Welton 2012-03-07 21:35:35 UTC 
Verified in brew build fixed in compose 0.1.303-1.el6