Created attachment 1231360 [details]
Patch to enable buttons

Description of problem:

A user with limited access permissions is unable to add or remove host collections from an activation key, using the satellite web interface.

The same user can successfully add and remove host collections from
the activation key using hammer.

Version-Release number of selected component (if applicable):

6.2.4

How reproducible:

100%

Steps to Reproduce:
1. Create a user with limited access rights

Access rights are as follows
Host Collections: view_host_collections, edit_host_collections
  - Search: name ~ "Test_*_Dev" || name ~ "Test_*_QA"
Activation Keys: view_activation_keys, create_activation_keys
  edit_activation_keys, destroy_activation_keys
  - Search: name ~ ak_test
Organization: view_organizations, assign_organizations
  view_subscriptions, attach_subscriptions, unattach_subscriptions

2. Use hammer to add host collection to the activation key

# hammer -u limited -p redhat activation-key add-host-collection --host-collection "Test_A_Dev" --name ak_test --organization ACME
The host collection has been associated
# hammer -u limited -p redhat activation-key remove-host-collection --host-collection "Test_A_Dev" --name ak_test --organization ACME
The host collection has been removed

3. Log into the satellite web interface as the "limited" user
4. Navigate to Content > Activation Keys > "ak_test" > Host Collections > Add


Actual results:

At step #4 the "Add Selected" button is missing
as is the "Remove Selected" button on the "List/Remove" tab

(I have a patch for this)

After applying my patch for this, attempts to submit the changes
result in an error from the backend. The web debugger yields the following

--------
Request URL:https://stuarta-sat6-test.usersys.redhat.com/katello/api/v2/activation_keys/13/host_collections
Request Method:POST
Status Code:403 Forbidden
Remote Address:10.33.9.40:443
--------
Request Payload
{"activation_key":{"host_collection_ids":[4]}}
--------
Response Payload
{
  "error": {"message":"Access denied","details":"Missing one of the required permissions: "}
}
--------

Note that the response payload does not list the missing permissions
whilst running hammer in debug mode does. (To see this effect remove
the organization access rights from the user)

Expected results:

1) The "Add Selected" and "Remove Selected" buttons should be visible
if the user has the "edit_activation_keys" privilege.
2) If the user has this privilege, modification of the activation key
via the gui should be possible


Additional info: