Bug 1326031 - Non-admin user receives permissions error on config_templates API
Summary: Non-admin user receives permissions error on config_templates API
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium vote
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: jcallaha
URL: http://projects.theforeman.org/issues...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-04-11 15:46 UTC by Bryan Kearney
Modified: 2019-09-25 21:18 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-27 11:29:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 14000 0 None None None 2016-04-22 15:35:07 UTC

Description Bryan Kearney 2016-04-11 15:46:59 UTC
When using a non-admin user account to access /api/v2/config_templates/1 or any non-index action, the user receives a 404 response due to failing permissions.

<pre>
2016-03-02T08:44:44 [app] [I] Started GET "/api/v2/config_templates/1" for 127.0.0.1 at 2016-03-02 08:44:44 +0000
2016-03-02T08:44:44 [app] [I] Processing by Api::V2::ConfigTemplatesController#show as JSON
2016-03-02T08:44:44 [app] [I]   Parameters: {"apiv"=>"v2", "id"=>"1"}
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   AuthSource Load (0.2ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = ? LIMIT 1  [["id", 1]]
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D] Authenticated user 13920test against INTERNAL authentication source
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [sql] [D] Post-login processing for 13920test
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  begin transaction
2016-03-02T08:44:44 [sql] [D]   SQL (0.3ms)  UPDATE "users" SET "last_login_on" = ?, "updated_at" = ? WHERE "users"."id" = 58  [["last_login_on", "2016-03-02 08:44:44.488791"], ["updated_at", "2016-03-02 08:44:44.489481"]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]    (0.0ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User'  [["owner_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (14.4ms)  commit transaction
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   Role Exists (0.1ms)  SELECT  1 AS one FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User' AND "roles"."id" = 8 LIMIT 1  [["owner_id", 58]]
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2016-03-02T08:44:44 [sql] [D]   User Load (0.1ms)  SELECT  "users".* FROM "users"  WHERE ("users"."auth_source_id" NOT IN (7)) AND "users"."lower_login" = '13920test'  ORDER BY firstname LIMIT 1
2016-03-02T08:44:44 [app] [I] Authorized user 13920test(13920 test)
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]   Usergroup Load (0.1ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = ?  ORDER BY usergroups.name  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ?  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ?  ORDER BY filters.role_id, filters.id  [["role_id", 37]]
2016-03-02T08:44:44 [app] [W] DEPRECATION WARNING: Your API call uses deprecated behavior, The resources /config_templates were moved to /provisioning_templates. Please use the new path instead. (called from deprecated at /home/dcleal/code/foreman/foreman/app/controllers/api/v2/config_templates_controller.rb:122)
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
2016-03-02T08:44:44 [sql] [D]   Filter Load (0.2ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filters"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'ProvisioningTemplate') AND (permissions.name = 'view_config_templates')  ORDER BY filters.role_id, filters.id  [["user_id", 58]]
2016-03-02T08:44:44 [permissions] [D] 
2016-03-02T08:44:44 [permissions] [D] no filters found for given permission
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT COUNT(*) FROM "templates"  WHERE (1=0) AND "templates"."type" IN ('ProvisioningTemplate')
2016-03-02T08:44:44 [app] [I] ActiveRecord::RecordNotFound (ActiveRecord::RecordNotFound)
2016-03-02T08:44:44 [app] [I]   Rendered api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout (0.7ms)
2016-03-02T08:44:44 [app] [I] Completed 404 Not Found in 45ms (Views: 3.4ms | ActiveRecord: 16.4ms)
</pre>

The key part of the log is:

<pre>
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
</pre>

The controller_permission method in the config templates API controller which should force it to check provisioning_templates permissions isn't being taken into account.

It looks like the support for controller_permission from #9687 regressed in #8343.

Comment 1 Bryan Kearney 2016-04-11 15:47:01 UTC
Created from redmine issue http://projects.theforeman.org/issues/14000

Comment 2 Bryan Kearney 2016-04-11 16:11:09 UTC
Moving to POST since upstream bug http://projects.theforeman.org/issues/14000 has been closed
-------------
Dominic Cleal
Applied in changeset commit:f05b9307fe36d877364b0ee5bee7212c3315c97e.

Comment 4 jcallaha 2016-06-16 18:10:35 UTC
Verified in Satellite 6.2 Beta Snap 15.2

Now a user without the proper permissions is given the following response.

{
  "error": {
    "message": "Access denied",
    "details": "Missing one of the required permissions: view_provisioning_templates"
  }
}

Comment 5 Bryan Kearney 2016-07-27 11:29:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1501


Note You need to log in before you can comment on or make changes to this bug.