Bug 1392612 - API allows fetching virtual_templates without appropriate role
Summary: API allows fetching virtual_templates without appropriate role
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.8.0
Assignee: abellott
QA Contact: Martin Kourim
URL:
Whiteboard: rest:template:security
Depends On:
Blocks: 1394335
TreeView+ depends on / blocked
 
Reported: 2016-11-07 21:45 UTC by abellott
Modified: 2019-08-06 20:04 UTC (History)
5 users (show)

Fixed In Version: 5.8.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1394335 (view as bug list)
Environment:
Last Closed: 2017-06-12 16:24:25 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description abellott 2016-11-07 21:45:40 UTC 
Description of problem:

API is missing the role identifying for reading virtual_templates resources. 
this means that a user with a role without the Show Virtual Templates access can still fetch an individual virtual template.

Version-Release number of selected component (if applicable):

5.7

How reproducible:

Always

Steps to Reproduce:
1.Setup user with Role with
   Access Rules for all Virtual Machines -> Template Access Rules -> Virtual Templates -> Show Virtual Templates  UNCHECKED
2. GET /api/virtual_templates/:id

Actual results:

Successful return of the resource

Expected results:

403/Forbidden

Additional info:
Comment 2 CFME Bot 2016-11-07 21:51:27 UTC 
https://github.com/ManageIQ/manageiq/pull/12452
Comment 3 CFME Bot 2016-11-10 15:26:27 UTC 
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/6e3b51a3fad3c390c87d5e15c0baabbfb233d00e

commit 6e3b51a3fad3c390c87d5e15c0baabbfb233d00e
Author:     Alberto Bellotti <abellott>
AuthorDate: Fri Nov 4 17:07:50 2016 -0400
Commit:     Alberto Bellotti <abellott>
CommitDate: Tue Nov 8 10:13:39 2016 -0500

    Was missing a role identifier for reading virtual_templates resources.
    
    - Added the virtual_template_show role identifier for reading
    /api/virtual_templates/:id resources
    - Added specs
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392612

 config/api.yml                              |  4 ++++
 spec/requests/api/virtual_templates_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)
Comment 4 CFME Bot 2016-11-10 20:46:05 UTC 
New commit detected on ManageIQ/manageiq/euwe:
https://github.com/ManageIQ/manageiq/commit/b5eb7caa29c3659a6888de36946c4b01a77adb73

commit b5eb7caa29c3659a6888de36946c4b01a77adb73
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Thu Nov 10 10:21:57 2016 -0500
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Thu Nov 10 15:39:00 2016 -0500

    Merge pull request #12452 from abellotti/api_virtual_template_resource_read_role
    
    Was missing a role identifier for reading virtual_templates resources.
    (cherry picked from commit 1a0ec9c8cb4304fe89e5c6daef39a632e14699a8)
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1392612

 config/api.yml                              |  4 ++++
 spec/requests/api/virtual_templates_spec.rb | 23 +++++++++++++++++++++++
 2 files changed, 27 insertions(+)
Comment 6 Martin Kourim 2017-02-28 19:06:28 UTC 
Verified by following "Steps to Reproduce". Result:
{
  "error": {
    "kind": "forbidden",
    "message": "Use of the read action is forbidden",
    "klass": "Api::ForbiddenError"
  }
}
Note You need to log in before you can comment on or make changes to this bug.