1340311 – Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Bug 1340311 - Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Summary: Cloudforms role-based access controls (RBAC) allow a user to view requests us...

Keywords:
Status:	CLOSED DUPLICATE of bug 1297974
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	API
Sub Component:
Version:	5.5.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.7.0
Assignee:	Tim Wade
QA Contact:	Taras Lehinevych
Docs Contact:
URL:
Whiteboard:	rbac:rest
Depends On:
Blocks:	1343516
TreeView+	depends on / blocked

Reported:	2016-05-27 01:37 UTC by Shane Boulden
Modified:	2016-08-03 01:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1343516 (view as bug list)
Environment:
Last Closed:	2016-07-25 15:44:39 UTC
Category:	---
Cloudforms Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Screenshot of approve/deny-only Cloudforms role (59.45 KB, image/png) 2016-05-27 01:37 UTC, Shane Boulden	no flags	Details
View All

Description Shane Boulden 2016-05-27 01:37:21 UTC

Created attachment 1162324 [details]
Screenshot of approve/deny-only Cloudforms role

Description of problem:
Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Version-Release number of selected component (if applicable):
CFME 5.5.3.4.20160407153134_b3e2a83 

How reproducible:
1. Create a Role in Cloudforms that is only permitted to approve/ deny service requests, but not list them (per attached screenshot).
 
2. Create a group and assign the role created in (1).

3. Create a user and assign to the group created in (2).

4. Navigate to the end-point of a known request, eg; https://cloudforms/api/requests/65000000000146

5. When prompted, enter the credentials for the user created in (3).

Actual results:
Cloudforms allows the user to view the request, even though they lack the permissions to "list/show" requests.

Expected results:
Cloudforms denies the user access to the REST API endpoint for the request

Comment 3 Tim Wade 2016-07-20 14:19:46 UTC

Shane: This should have been fixed upstream in https://github.com/ManageIQ/manageiq/pull/8554 - can you confirm?

Comment 4 Shane Boulden 2016-07-21 22:39:23 UTC

Hi Tim, I've just tested on darga-2.20160711210308_ce72215 and it works great!

Thanks very much for tracking this down.

Comment 5 Tim Wade 2016-07-25 15:44:39 UTC

Hi Shane, Thanks for testing this out!

I will close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1297974

*** This bug has been marked as a duplicate of bug 1297974 ***

Note You need to log in before you can comment on or make changes to this bug.