1202279 – UI throws permission denied message when providing discovery roles to a normal user

Bug 1202279 - UI throws permission denied message when providing discovery roles to a normal user

Summary: UI throws permission denied message when providing discovery roles to a norma...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Discovery Plugin
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	Unspecified
Assignee:	Lukas Zapletal
QA Contact:	Sachin Ghai
Docs Contact:
URL:	http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:	1193977
TreeView+	depends on / blocked

Reported:	2015-03-16 09:47 UTC by Sachin Ghai
Modified:	2019-09-26 17:38 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-27 11:35:25 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
permission denied message when login with user who has been subscribed to "Discovery reader" role (23.89 KB, image/png) 2015-03-16 09:47 UTC, Sachin Ghai	no flags	Details
discovery_reader role doesn't have view_hosts permission (34.77 KB, image/png) 2016-04-07 10:42 UTC, Sachin Ghai	no flags	Details
discovery_manager doesn't include view_hosts permission (28.64 KB, image/png) 2016-04-07 10:43 UTC, Sachin Ghai	no flags	Details
discovery_manager includes "view_host" permission (58.42 KB, image/png) 2016-05-06 12:18 UTC, Sachin Ghai	no flags	Details
discovery_reader role includes "view_host" permission (46.69 KB, image/png) 2016-05-06 12:18 UTC, Sachin Ghai	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	13829	0	None	None	None	2016-04-22 16:42:20 UTC

Description Sachin Ghai 2015-03-16 09:47:03 UTC

Created attachment 1002173 [details]
permission denied message when login with user who has been subscribed  to "Discovery reader" role

Description of problem:
we assigned "Discovery Manager" role to a user. But when I logged in with user, UI throws permission denied error on UI though we can browse the menu items. Please see the attached screenshot.


Version-Release number of selected component (if applicable):
sat6.1 beta snap6 compose2 (Satellite-6.1.0-RHEL-6-20150311.1).

How reproducible:
always

Steps to Reproduce:
1. create a user
2. assign "Discover reader" role
3. logout with admin user
4. login with normal user created in step1

Actual results:
permission denied message as soon as user logs in.

Expected results:
UI shouldn't show permission denied message on login.

Additional info:
production.logs when user login:

2015-03-16 09:46:52 [I] Processing by UsersController#login as HTML
2015-03-16 09:46:52 [I]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"xiI66GRVpAfZvPbTTW2TDZMo9isLuCU9/SxowpJD1PE=", "login"=>{"login"=>"sghai", "password"=>"[FILTERED]"}, "commit"=>"Login"}
2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.6ms)
2015-03-16 09:46:52 [I] Expire fragment views/tabs_and_title_records-4 (0.1ms)
2015-03-16 09:46:52 [I] Redirected to https://dhcp201-163.englab.pnq.redhat.com/hosts
2015-03-16 09:46:52 [I] Completed 302 Found in 34ms (ActiveRecord: 13.0ms)
2015-03-16 09:46:52 [I] Processing by HostsController#index as HTML
2015-03-16 09:46:52 [I]   Rendered common/403.html.erb within layouts/application (1.1ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (3.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_user_dropdown.html.erb (1.8ms)
2015-03-16 09:46:52 [I] Read fragment views/tabs_and_title_records-4 (0.1ms)
2015-03-16 09:46:52 [I]   Rendered home/_organization_dropdown.html.erb (7.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_location_dropdown.html.erb (5.0ms)
2015-03-16 09:46:52 [I]   Rendered home/_org_switcher.html.erb (12.5ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.6ms)
2015-03-16 09:46:52 [I]   Rendered home/_submenu.html.erb (1.5ms)
2015-03-16 09:46:52 [I] Write fragment views/tabs_and_title_records-4 (1.2ms)
2015-03-16 09:46:52 [I]   Rendered home/_topbar.html.erb (38.6ms)
2015-03-16 09:46:52 [I]   Rendered layouts/base.html.erb (40.3ms)
2015-03-16 09:46:52 [I] Filter chain halted as :authorize rendered or redirected
2015-03-16 09:46:52 [I] Completed 403 Forbidden in 69ms (Views: 42.7ms | ActiveRecord: 5.0ms)

Comment 1 Sachin Ghai 2015-03-16 09:48:53 UTC

Also, please note that when user login, UI auto select the "default Location" but not the default_org.. I think that's the issue why we are getting permission denied.

Just to clear, when we created the user, we selected the 'Default_org" and default_location"

Comment 3 Sachin Ghai 2015-03-16 11:26:31 UTC

on login, firebug raises this error:

"NetworkError: 403 Forbidden - https://dhcp201-163.englab.pnq.redhat.com/hosts"

Comment 4 Sachin Ghai 2015-03-25 11:09:44 UTC

If I assign "view_host" permission to same user along with "Discovery Manager" role then I don't see the permission denied error.

So I think we need to add view_host permissions to "Discovery Reader" and "Discovery_Manager"  roles.

Comment 5 Bryan Kearney 2016-02-23 15:02:03 UTC

Moving to POST since upstream bug http://projects.theforeman.org/issues/13829 has been closed
-------------
Anonymous
Applied in changeset commit:foreman_discovery|ee63dc3c74e7e799de43896dc199ea0c7324aa5e.

Comment 8 Sachin Ghai 2016-04-07 10:39:16 UTC

Verified with sat6.2 snap6.2

I don't see view_host permission in discovery_reader and discovery_manager role.


Please see the attached screenshots.

Comment 9 Sachin Ghai 2016-04-07 10:42:24 UTC

Created attachment 1144665 [details]
discovery_reader role doesn't have view_hosts permission

Comment 10 Sachin Ghai 2016-04-07 10:43:11 UTC

Created attachment 1144668 [details]
discovery_manager doesn't include view_hosts permission

Comment 11 Lukas Zapletal 2016-04-07 14:33:24 UTC

The bug was not going through the cherry-picking process properly (again I assumed we will be rebasing). Please cherry pick the linked upstream code:

https://github.com/theforeman/foreman_discovery/commit/ee63dc3c74e7e799de43896dc199ea0c7324aa5e

Comment 13 Sachin Ghai 2016-05-06 12:17:40 UTC

Verified with sat6.2 GA snap10.

I can see "view_host" permission in discovery_reader and discovery_manager role

Comment 14 Sachin Ghai 2016-05-06 12:18:22 UTC

Created attachment 1154604 [details]
discovery_manager includes "view_host" permission

Comment 15 Sachin Ghai 2016-05-06 12:18:55 UTC

Created attachment 1154605 [details]
discovery_reader role includes "view_host" permission

Comment 16 Sachin Ghai 2016-05-06 12:20:06 UTC

I don't see permission denied error on login with user who has assigned either "discovery_manager" role or "discovery_reader" role.

Comment 17 Bryan Kearney 2016-07-27 11:35:25 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501

Note You need to log in before you can comment on or make changes to this bug.