Description of problem: Non-admin user, with full permissions granted, cannot create any repository in a custom product. A red notification box 'You are not authorized to perform this action.' shows up when the user click the 'create repository' button in the product page (https://satellite6.corp.redhat.com/products/xxx/repositories) Firebug picked up 2 403s API calls initiated by JS GET https://satellite6.corp.redhat.com/api/v2/settings?search=name+%3D+default_download_policy 403 (Forbidden) GET https://satellite6.corp.redhat.com/katello/api/v2/repositories/repository_types?creatable=true&organization_id=6 403 (Forbidden) Version-Release number of selected component (if applicable): foreman-1.11.0.54-1.el7sat.noarch tfm-rubygem-katello-3.0.0.80-1.el7sat.noarch How reproducible: always Steps to Reproduce: 1. assuming the satellite already has a org and a few locations, sub manifest is imported 2. create a role 'test' with the following permissions: - all permissions under organization - all permissions under content views - all permissions under LC environments - all permissions under Product and Repositories 3. create a user 'jdoe', attach only the 'test' role 4. login as jdoe 5. create a custom product 'test' 6. click the 'new repository' button within product 'test' Actual results: - no 'You are not authorized to perform this action.' pops up - 'type' dropdown is populated - default download policy is selected in 'download policy' dropdown Expected results: - 'type' dropdown is empty - nothing is selected in the 'download policy' dropdown (this is only visible after the first repository type bug is fixed, because the 'download policy' dropdown box is hidden when nothing is selected in the 'type' dropdown box Additional info:
The first repository type bug is fixed with the following patch: (/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.80/lib/katello/permissions/product_permissions.rb) # diff -u product_permissions.rb.orig product_permissions.rb --- product_permissions.rb.orig 2016-11-04 05:33:06.565873001 +0000 +++ product_permissions.rb 2016-11-04 05:33:39.933873975 +0000 @@ -5,7 +5,7 @@ { 'katello/products' => [:auto_complete, :auto_complete_search], 'katello/api/v2/products' => [:index, :show], - 'katello/api/v2/repositories' => [:index, :show], + 'katello/api/v2/repositories' => [:index, :show, :repository_types], 'katello/api/v2/packages' => [:index, :show], 'katello/api/v2/distributions' => [:index, :show], 'katello/api/v2/package_groups' => [:index, :show], As such, whoever has the :view_products permission will be able to view the repository types.
The settings one is a bit tricky. The access is blocked at 2 places: 1. the permission set is missing :"api/v2/settings" => [:index]" (/usr/share/foreman/app/services/foreman/access_permissions.rb) permission_set.security_block :settings_menu do |map| map.permission :access_settings, {:home => [:settings]} end 2. only admin can read the settings (/usr/share/foreman/app/controllers/api/v2/settings_controller.rb) module Api module V2 class SettingsController < V2::BaseController before_filter :require_admin Someone need to come up something else to allow non-admin to read at least the default_download_policy
Hi Neil, Thank you for opening the bugzilla. This one appears to be a duplicate of bug 1374505; therefore, I am going to close it as a duplicate. If that bug does not solve the issue for your case, please do let us know. *** This bug has been marked as a duplicate of bug 1374505 ***