We set current org/loc for user in before filter blindly without any association check [2][3]. As a user I'd expect 404 (bug fixed by #3549) but I get the list of resources from org I've chosen even though I'm not associated to it. Note that this is possible because users have by default viewer_role allowing to view all data regardless of organization. If user would have all filters associated to org 1 only he/she wouldn't see resource from org 2. [2]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L11 [3]https://github.com/theforeman/foreman/blob/develop/app/controllers/concerns/api/taxonomy_scope.rb#L14
Created from redmine issue http://projects.theforeman.org/issues/15182
Upstream bug assigned to mhulan
Moving to POST since upstream bug http://projects.theforeman.org/issues/15182 has been closed
FailedQA. This might have been caused by something else but this bug is not verifiable anyway. 1) Create an org 2) Create a user in that org, grant full rights (not admin) to it 3) As admin, create some domain in that org. 4) As a user, create some domain in that org. 5) Notice that, when logged in a the user, you can't see any of those domains. 6) Try with API: # curl -X GET -k -u testuser:testpass "https://<FQDN>/api/organizations/3/domains" { "total": 0, "subtotal": 0, "page": 1, "per_page": 20, "search": null, "sort": { "by": null, "order": null }, "results": [] }
Verified with Sat6.3 snap 16. The point here was not unability to reproduce. The problem was there has been a change in behavior between 6.2 and 6.3: entities without Location assigned are now not shown to non-admin users. As this is expected, according to devel, I am verifying this bug. Reproducer: 1) create org Testorg 2) create user Testuser in Testorg 3) assign Default Location to Testorg and to Testuser 4) as Testuser, create domain Testdomain with org Testorg and location Testlocation 5) List domains in Testorg, they are successfullylisted: # curl -X GET -k -u Testuser:<testpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>" 6) create org Anotherorg 7) create user Anotheruser in Anotherorg 8) assign Default Location to Anotherorg and to Anotheruser 9) Try to list domains in Testorg as Anotheruser and get {"message":"Organization with id <Testorg_id> not found"} which means the bug has been fixed # curl -X GET -k -u Anotheruser:<anotherpass> "https://<FQDN>/api/domains?organization_id=<Testorg_id>" Further tested with similar steps using: a) GET, Location instead of Org (for example API /api/locations/:location_id/hostgroups) and hostgroups as entity b) POST, Location and Parameter create
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:0336