Bug 1594757 - [RFE] non-admin user can't see requests under /api/requests
Summary: [RFE] non-admin user can't see requests under /api/requests
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: GA
: 5.10.0
Assignee: Keenan Brock
QA Contact: Antonin Pagac
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-06-25 11:00 UTC by Niladri Roy
Modified: 2019-02-07 23:03 UTC (History)
8 users (show)

Fixed In Version: 5.10.0.4
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-02-07 23:03:14 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0212 None None None 2019-02-07 23:03:24 UTC

Description Niladri Roy 2018-06-25 11:00:00 UTC
Description of problem:
Seems to be impossible to get requests list from api as a non-admin user, only admin can get requests from api.

Version-Release number of selected component (if applicable):
5.9.2.4

How reproducible:


Steps to Reproduce:
1. See list of request in Web portal by going to Service>Requests as non-admin user
2. make an API query to /api/requests as the same user
3.

Actual results:
count: shows non zero value
subcount: 0

Expected results:
Using web portal, request can be seen under Services>Requests, it should also show requests at /api/requests for the same user

Additional info:
User is in custom group with custom role having full access and no filter.

Comment 8 Keenan Brock 2018-06-27 16:25:57 UTC
I added a product feature 'miq_request_superadmin' for viewing/creating requests in https://bugzilla.redhat.com/show_bug.cgi?id=1090627

before: only users in the default admin group (not a copy) could view requests.
after: a copy of the admin group or other groups with the feature can now view requests

There were a number of BZs that seemed to want the same type of solution. I tried to build that solution to solve the general solution.

Please let me know if it conflicts with your needs here.

Comment 9 Milan Zázrivec 2018-06-27 17:05:43 UTC
Kennan, please correct me if I'm wrong, but as far as I can tell, to have this
fixed in current 5.9, we'd have to backport all of the PRs (Core + UI + API) from
https://bugzilla.redhat.com/show_bug.cgi?id=1090627 over to 5.9.

Seeing https://bugzilla.redhat.com/show_bug.cgi?id=1090627 is actually an RFE
and would require non-trivial amount of work to be done (including rigorous
testing), this needs to be re-evaluated whether or not this is a 5.9 material.

Comment 14 Keenan Brock 2018-09-04 14:35:41 UTC
Milan,

Think this can be closed - it should be in master.

--K

Comment 15 Milan Zázrivec 2018-09-04 14:42:45 UTC
The work here has already been done by Keenan (it's all in current master),
I'm moving this over to POST so that it can be properly verified.

Comment 16 Antonin Pagac 2019-01-21 16:54:49 UTC
Appliance version: 5.10.0.32

Non-admin user can now see his requests if he has Services -> Requests -> View permission.
UI is consistent with api.

Comment 17 errata-xmlrpc 2019-02-07 23:03:14 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:0212


Note You need to log in before you can comment on or make changes to this bug.