Created attachment 1162324 [details] Screenshot of approve/deny-only Cloudforms role Description of problem: Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions Version-Release number of selected component (if applicable): CFME 5.5.3.4.20160407153134_b3e2a83 How reproducible: 1. Create a Role in Cloudforms that is only permitted to approve/ deny service requests, but not list them (per attached screenshot). 2. Create a group and assign the role created in (1). 3. Create a user and assign to the group created in (2). 4. Navigate to the end-point of a known request, eg; https://cloudforms/api/requests/65000000000146 5. When prompted, enter the credentials for the user created in (3). Actual results: Cloudforms allows the user to view the request, even though they lack the permissions to "list/show" requests. Expected results: Cloudforms denies the user access to the REST API endpoint for the request
Shane: This should have been fixed upstream in https://github.com/ManageIQ/manageiq/pull/8554 - can you confirm?
Hi Tim, I've just tested on darga-2.20160711210308_ce72215 and it works great! Thanks very much for tracking this down.
Hi Shane, Thanks for testing this out! I will close this as a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1297974 *** This bug has been marked as a duplicate of bug 1297974 ***