Is there any movement on this, I have a bunch of annoyed admins that want to be able to view conent hosts in their organizations.

Tested with 6.2.5, I still see the forever loading page. Checking the production.log it seems that it tries to fetch Foreman hosts from
/api/v2/hosts?organization_id=1&page=1&search=&sort_by=name&sort_order=ASC

This fails if user does not have permission to view_organizations. When I add this permission to the user it works for me. Could you please verify that the user has the view_organizations permission?

 I think content host page should better handle errors when loading data. It's not specific to permission system so moving to content host component.

Tested on 6.2.5 and was able to view content hosts with the following permissions:

Host - view_hosts 
Content Views - view_content_views
Lifecycle Environment - view_lifecycle_environments
Organizations - view_organizations, view_subscriptions

the first three were limited to an org, 'organizations' had a search with 'name = MyOrg'

Justin, shouldn't the page be fixed if user doesn't have view_organizations permission? When I was reproducing it, I saw that the spinner does not disappear and no error was displayed. I think that's bad user experience.

Hey Marek,

I would agree, it seems unnecessary.  The katello UI is simply calling:

/api/v2/hosts?organization_id=1

and this is failing unless you have organization read on that org with a 404 not found.  Guessing the code in that controller would need to be change to not actually care about readable orgs/locs

Failed QA on Satellite 6.3 SNAP 10 : satellite-6.3.0-16.0.beta.el7sat.noarch , tfm-rubygem-katello-3.4.4-1.el7sat.noarch

- Configured a user with the role and permissions cited in comment 7
- Logged in as that user
- Went to Hosts -> All Hosts and Hosts -> Content Hosts
  - Neither page is showing any hosts; however, there should be some

Hi Marek, if you have a moment, can you take a look at this one?  The issue being observed may be different than the original bug; however, the bug cannot be verified.  With the current behavior, there are no errors, but the restricted user doesn't see any hosts or content hosts listed.

Adding a 'location' to the restricted user allows them to see the Hosts/Content Hosts.  In 6.2, this was not necessary.  Is the new behavior intentional?

This change in behavior may require existing Satellite users to update their users to be within a location.

Brad, I believe this is the change that got in in 1.15. It was a fix for CVE 2016-7078, for non-admin user it's impossible to see resource which is not assigned to any organization/location. Please see the issue [1] and the description in github PR [2] for more details

[1] http://projects.theforeman.org/issues/16982/
[2] https://github.com/theforeman/foreman/pull/3961

Puuting needinfo back to brad. Is this "as designed" then?

Puuting needinfo back to brad. Is this "as designed" then?

Correct.  The new behavior is working as designed.  Moving to VERIFIED.

User needs permissions as described in comment 7 + view_location.

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336

Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA.

For information on the advisory, and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:0336