1343516 – Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Bug 1343516 - Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions

Summary: Cloudforms role-based access controls (RBAC) allow a user to view requests us...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat CloudForms Management Engine
Classification:	Red Hat
Component:	API
Sub Component:
Version:	5.5.0
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	GA
Target Release:	5.6.1
Assignee:	Tim Wade
QA Contact:	Martin Kourim
Docs Contact:
URL:
Whiteboard:	rbac:rest
Depends On:	1297974 1340311
Blocks:
TreeView+	depends on / blocked

Reported:	2016-06-07 12:04 UTC by John Prause
Modified:	2016-11-18 15:14 UTC (History)
CC List:	4 users (show)
Fixed In Version:	5.6.1.0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1340311
Environment:
Last Closed:	2016-11-18 15:14:25 UTC
Category:	---
Cloudforms Team:	CFME Core
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 2 Satoe Imaishi 2016-11-04 20:41:32 UTC

This was fixed in 5.6.1. Please move to CLOSED CURRENTRELEASE if verification passes.

Comment 3 Martin Kourim 2016-11-15 13:30:15 UTC

Verified using steps in bug description. Resulted in
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "ApiController::Forbidden"
  }
}

Note You need to log in before you can comment on or make changes to this bug.