Created attachment 1231360 [details] Patch to enable buttons Description of problem: A user with limited access permissions is unable to add or remove host collections from an activation key, using the satellite web interface. The same user can successfully add and remove host collections from the activation key using hammer. Version-Release number of selected component (if applicable): 6.2.4 How reproducible: 100% Steps to Reproduce: 1. Create a user with limited access rights Access rights are as follows Host Collections: view_host_collections, edit_host_collections - Search: name ~ "Test_*_Dev" || name ~ "Test_*_QA" Activation Keys: view_activation_keys, create_activation_keys edit_activation_keys, destroy_activation_keys - Search: name ~ ak_test Organization: view_organizations, assign_organizations view_subscriptions, attach_subscriptions, unattach_subscriptions 2. Use hammer to add host collection to the activation key # hammer -u limited -p redhat activation-key add-host-collection --host-collection "Test_A_Dev" --name ak_test --organization ACME The host collection has been associated # hammer -u limited -p redhat activation-key remove-host-collection --host-collection "Test_A_Dev" --name ak_test --organization ACME The host collection has been removed 3. Log into the satellite web interface as the "limited" user 4. Navigate to Content > Activation Keys > "ak_test" > Host Collections > Add Actual results: At step #4 the "Add Selected" button is missing as is the "Remove Selected" button on the "List/Remove" tab (I have a patch for this) After applying my patch for this, attempts to submit the changes result in an error from the backend. The web debugger yields the following -------- Request URL:https://stuarta-sat6-test.usersys.redhat.com/katello/api/v2/activation_keys/13/host_collections Request Method:POST Status Code:403 Forbidden Remote Address:10.33.9.40:443 -------- Request Payload {"activation_key":{"host_collection_ids":[4]}} -------- Response Payload { "error": {"message":"Access denied","details":"Missing one of the required permissions: "} } -------- Note that the response payload does not list the missing permissions whilst running hammer in debug mode does. (To see this effect remove the organization access rights from the user) Expected results: 1) The "Add Selected" and "Remove Selected" buttons should be visible if the user has the "edit_activation_keys" privilege. 2) If the user has this privilege, modification of the activation key via the gui should be possible Additional info:
Upstream patch for the button part of the issue https://github.com/Katello/katello/commit/3a2f00362c7c05b8674e31e146d8037cff954ca5
Followed the rabbit hole further. This is http://projects.theforeman.org/issues/16997 which is https://bugzilla.redhat.com/show_bug.cgi?id=1304815 which is fixed in 6.2.5 Sigh, apologies for the noise *** This bug has been marked as a duplicate of bug 1304815 ***