Bug 1343516 - Cloudforms role-based access controls (RBAC) allow a user to view requests using the REST API end-point when they do not have the required permissions
Summary: Cloudforms role-based access controls (RBAC) allow a user to view requests us...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.5.0
Hardware: x86_64
OS: Linux
high
high
Target Milestone: GA
: 5.6.1
Assignee: Tim Wade
QA Contact: Martin Kourim
URL:
Whiteboard: rbac:rest
Depends On: 1297974 1340311
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-06-07 12:04 UTC by John Prause
Modified: 2016-11-18 15:14 UTC (History)
4 users (show)

Fixed In Version: 5.6.1.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1340311
Environment:
Last Closed: 2016-11-18 15:14:25 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)

Comment 2 Satoe Imaishi 2016-11-04 20:41:32 UTC
This was fixed in 5.6.1. Please move to CLOSED CURRENTRELEASE if verification passes.

Comment 3 Martin Kourim 2016-11-15 13:30:15 UTC
Verified using steps in bug description. Resulted in
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "ApiController::Forbidden"
  }
}


Note You need to log in before you can comment on or make changes to this bug.