Bug 1594275 - Users can see items which they don't have permissions/access to under services they own
Summary: Users can see items which they don't have permissions/access to under service...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.9.3
Assignee: Milan Zázrivec
QA Contact: Landon LaSmith
URL:
Whiteboard:
Depends On: 1589266 1595418
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-22 13:49 UTC by Satoe Imaishi
Modified: 2022-07-09 09:55 UTC (History)
11 users (show)

Fixed In Version: 5.9.3.3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1589266
Environment:
Last Closed: 2018-07-12 13:17:05 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2184 0 None None None 2018-07-12 13:17:33 UTC

Comment 2 CFME Bot 2018-06-22 14:00:31 UTC 
New commit detected on ManageIQ/manageiq-api/gaprindashvili:

https://github.com/ManageIQ/manageiq-api/commit/e225b647af5ad1dc104e7eab328fe7d1c00a6bc8
commit e225b647af5ad1dc104e7eab328fe7d1c00a6bc8
Author:     Gregg Tanzillo <gtanzill>
AuthorDate: Fri Jun 22 03:20:25 2018 -0400
Commit:     Gregg Tanzillo <gtanzill>
CommitDate: Fri Jun 22 03:20:25 2018 -0400

    Merge pull request #404 from mzazrivec/fix_rbac_in_vms_subcollection_for_services

    In list of services, fetch RBAC-filtered vms subcollection
    (cherry picked from commit a0ce54f2a19f7ad808e45d9b8f75733db0a40f79)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1594275

 app/controllers/api/subcollections/vms.rb | 1 +
 spec/requests/services_spec.rb | 21 +-
 2 files changed, 19 insertions(+), 3 deletions(-)
Comment 4 Landon LaSmith 2018-06-29 20:36:52 UTC 
Verification is currently blocked due to a bug while executing service requests in 5.9.3.3

https://bugzilla.redhat.com/show_bug.cgi?id=1595418
Comment 5 Landon LaSmith 2018-07-05 22:30:53 UTC 
VERIFIED in 5.9.3.4. While the total count of VMs order was displayed in the UI, a restricted user was only able to see ordered VMs that they had access to in the OPS and SSUI
Comment 7 errata-xmlrpc 2018-07-12 13:17:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2184
Note You need to log in before you can comment on or make changes to this bug.