Created attachment 1002173 [details] permission denied message when login with user who has been subscribed to "Discovery reader" role Description of problem: we assigned "Discovery Manager" role to a user. But when I logged in with user, UI throws permission denied error on UI though we can browse the menu items. Please see the attached screenshot. Version-Release number of selected component (if applicable): sat6.1 beta snap6 compose2 (Satellite-6.1.0-RHEL-6-20150311.1). How reproducible: always Steps to Reproduce: 1. create a user 2. assign "Discover reader" role 3. logout with admin user 4. login with normal user created in step1 Actual results: permission denied message as soon as user logs in. Expected results: UI shouldn't show permission denied message on login. Additional info: production.logs when user login: 2015-03-16 09:46:52 [I] Processing by UsersController#login as HTML 2015-03-16 09:46:52 [I] Parameters: {"utf8"=>"✓", "authenticity_token"=>"xiI66GRVpAfZvPbTTW2TDZMo9isLuCU9/SxowpJD1PE=", "login"=>{"login"=>"sghai", "password"=>"[FILTERED]"}, "commit"=>"Login"} 2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.6ms) 2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.1ms) 2015-03-16 09:46:52 [I] Redirected to https://dhcp201-163.englab.pnq.redhat.com/hosts 2015-03-16 09:46:52 [I] Completed 302 Found in 34ms (ActiveRecord: 13.0ms) 2015-03-16 09:46:52 [I] Processing by HostsController#index as HTML 2015-03-16 09:46:52 [I] Rendered common/403.html.erb within layouts/application (1.1ms) 2015-03-16 09:46:52 [I] Rendered home/_submenu.html.erb (3.0ms) 2015-03-16 09:46:52 [I] Rendered home/_user_dropdown.html.erb (1.8ms) 2015-03-16 09:46:52 [I] Read fragment views/tabs_and_title_records-4 (0.1ms) 2015-03-16 09:46:52 [I] Rendered home/_organization_dropdown.html.erb (7.0ms) 2015-03-16 09:46:52 [I] Rendered home/_location_dropdown.html.erb (5.0ms) 2015-03-16 09:46:52 [I] Rendered home/_org_switcher.html.erb (12.5ms) 2015-03-16 09:46:52 [I] Rendered home/_submenu.html.erb (1.6ms) 2015-03-16 09:46:52 [I] Rendered home/_submenu.html.erb (1.6ms) 2015-03-16 09:46:52 [I] Rendered home/_submenu.html.erb (1.6ms) 2015-03-16 09:46:52 [I] Rendered home/_submenu.html.erb (1.5ms) 2015-03-16 09:46:52 [I] Write fragment views/tabs_and_title_records-4 (1.2ms) 2015-03-16 09:46:52 [I] Rendered home/_topbar.html.erb (38.6ms) 2015-03-16 09:46:52 [I] Rendered layouts/base.html.erb (40.3ms) 2015-03-16 09:46:52 [I] Filter chain halted as :authorize rendered or redirected 2015-03-16 09:46:52 [I] Completed 403 Forbidden in 69ms (Views: 42.7ms | ActiveRecord: 5.0ms)
Also, please note that when user login, UI auto select the "default Location" but not the default_org.. I think that's the issue why we are getting permission denied. Just to clear, when we created the user, we selected the 'Default_org" and default_location"
on login, firebug raises this error: "NetworkError: 403 Forbidden - https://dhcp201-163.englab.pnq.redhat.com/hosts"
If I assign "view_host" permission to same user along with "Discovery Manager" role then I don't see the permission denied error. So I think we need to add view_host permissions to "Discovery Reader" and "Discovery_Manager" roles.
Moving to POST since upstream bug http://projects.theforeman.org/issues/13829 has been closed ------------- Anonymous Applied in changeset commit:foreman_discovery|ee63dc3c74e7e799de43896dc199ea0c7324aa5e.
Verified with sat6.2 snap6.2 I don't see view_host permission in discovery_reader and discovery_manager role. Please see the attached screenshots.
Created attachment 1144665 [details] discovery_reader role doesn't have view_hosts permission
Created attachment 1144668 [details] discovery_manager doesn't include view_hosts permission
The bug was not going through the cherry-picking process properly (again I assumed we will be rebasing). Please cherry pick the linked upstream code: https://github.com/theforeman/foreman_discovery/commit/ee63dc3c74e7e799de43896dc199ea0c7324aa5e
Verified with sat6.2 GA snap10. I can see "view_host" permission in discovery_reader and discovery_manager role
Created attachment 1154604 [details] discovery_manager includes "view_host" permission
Created attachment 1154605 [details] discovery_reader role includes "view_host" permission
I don't see permission denied error on login with user who has assigned either "discovery_manager" role or "discovery_reader" role.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2016:1501