Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1391810 - User can't create repository in custom product
Summary: User can't create repository in custom product
Keywords:
Status: CLOSED DUPLICATE of bug 1374505
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.2.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: Unspecified
Assignee: satellite6-bugs
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-04 05:30 UTC by Neil Miao
Modified: 2016-11-07 17:45 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-07 17:45:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Neil Miao 2016-11-04 05:30:47 UTC 
Description of problem:

Non-admin user, with full permissions granted, cannot create any repository in a custom product.

A red notification box 'You are not authorized to perform this action.' shows up when the user click the 'create repository' button in the product page (https://satellite6.corp.redhat.com/products/xxx/repositories)

Firebug picked up 2 403s API calls initiated by JS

GET https://satellite6.corp.redhat.com/api/v2/settings?search=name+%3D+default_download_policy 403 (Forbidden)

GET https://satellite6.corp.redhat.com/katello/api/v2/repositories/repository_types?creatable=true&organization_id=6 403 (Forbidden)


Version-Release number of selected component (if applicable):
foreman-1.11.0.54-1.el7sat.noarch
tfm-rubygem-katello-3.0.0.80-1.el7sat.noarch

How reproducible:
always

Steps to Reproduce:
1. assuming the satellite already has a org and a few locations, sub manifest is imported
2. create a role 'test' with the following permissions:
- all permissions under organization
- all permissions under content views
- all permissions under LC environments
- all permissions under Product and Repositories

3. create a user 'jdoe', attach only the 'test' role
4. login as jdoe
5. create a custom product 'test'
6. click the 'new repository' button within product 'test'

Actual results:
- no 'You are not authorized to perform this action.' pops up
- 'type' dropdown is populated
- default download policy is selected in 'download policy' dropdown


Expected results:
- 'type' dropdown is empty
- nothing is selected in the 'download policy' dropdown (this is only visible after the first repository type bug is fixed, because the 'download policy' dropdown box is hidden when nothing is selected in the 'type' dropdown box



Additional info:
Comment 1 Neil Miao 2016-11-04 05:35:15 UTC 
The first repository type bug is fixed with the following patch:


(/opt/theforeman/tfm/root/usr/share/gems/gems/katello-3.0.0.80/lib/katello/permissions/product_permissions.rb)

# diff -u product_permissions.rb.orig product_permissions.rb
--- product_permissions.rb.orig	2016-11-04 05:33:06.565873001 +0000
+++ product_permissions.rb	2016-11-04 05:33:39.933873975 +0000
@@ -5,7 +5,7 @@
              {
                'katello/products' => [:auto_complete, :auto_complete_search],
                'katello/api/v2/products' => [:index, :show],
-               'katello/api/v2/repositories' => [:index, :show],
+               'katello/api/v2/repositories' => [:index, :show, :repository_types],
                'katello/api/v2/packages' => [:index, :show],
                'katello/api/v2/distributions' => [:index, :show],
                'katello/api/v2/package_groups' => [:index, :show],


As such, whoever has the :view_products permission will be able to view the repository types.
Comment 2 Neil Miao 2016-11-04 05:40:24 UTC 
The settings one is a bit tricky.

The access is blocked at 2 places:

1. the permission set is missing :"api/v2/settings" => [:index]"

(/usr/share/foreman/app/services/foreman/access_permissions.rb)

  permission_set.security_block :settings_menu do |map|
    map.permission :access_settings,  {:home => [:settings]}
  end


2. only admin can read the settings

(/usr/share/foreman/app/controllers/api/v2/settings_controller.rb)

module Api
  module V2
    class SettingsController < V2::BaseController
      before_filter :require_admin


Someone need to come up something else to allow non-admin to read at least the default_download_policy
Comment 3 Brad Buckingham 2016-11-07 17:45:02 UTC 
Hi Neil,

Thank you for opening the bugzilla.  This one appears to be a duplicate of bug 1374505; therefore, I am going to close it as a duplicate.  If that bug does not solve the issue for your case, please do let us know.

*** This bug has been marked as a duplicate of bug 1374505 ***
Note You need to log in before you can comment on or make changes to this bug.