Description of problem: After MiqRequest was made taggable in the PR [1] for BZ [2], we cannot see provision requests our users have created if the users are in groups with managed tags. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. From their comments: "After this fix, I don't have error on requests page, but with a account tied to a subtenant, i'm unable to see any requests even my own." "This is what I have: rootTenant | subTenant / | sub2Tenant sub2Tenant2 sub2Tenant3 if a user from sub2Tenant create a request, he can't see other tenant requests (normal) but he can't see request on his tenant (abnormal), even he can't see his own requests. User from subTenant are also unable to see requests from descendant tenant. All users get rights from custom roles, not the default ones. I don't know if this can be the problem." "I found the problem. It's not related to role, but to my group. On my group I have a filter by tag which is used to restrict view on some object, but miq_requests doesn't have tags, so users are unable to see their requests." Here are the informations: Using the same tenant tree as before, this is what I have: rootTenant | subTenant / | \ sub2Tenant sub2Tenant2 sub2Tenant3 2Tags: business_group, can be: team1, team2, team3 business_unit, can be: fr, de, uk We have 3 user groups: groupA, attached to rootTenant and no filter, custom role full access groupB, attached to rootTenant and filter business_unit=fr, custom role access to catalog, services and machines groupC, attached to sub2Tenant and filter business_unit=fr & business_group=teamC, custom role access to catalog, services and machines (same as for groupB) groupA have no problem seeing requests groupB and groupC can see any requests even their own I tried to remove the filter tag on groupB and then they are able to see requests, but I can't keep it like that. I experiment with requests and giving group right to approve/deny + tag_assign on request allow user to see the request, but tag_assign only didn't help. [1] https://github.com/ManageIQ/manageiq/pull/17466 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1576129 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Update to 5.8.4.4 OR on 5.9.2, apply the 5.9.2 hotfix found https://bugzilla.redhat.com/show_bug.cgi?id=1583710#c2 2. Assign tags such as /managed/environments/prod to a group for your user 3. Create any request, such as a provision request 4. Try to view this request in the UI as this user Actual results: User cannot see their own requests. Expected results: User can see their requests, any from within their tenant and any requests from subtenants. Additional info: This is a 5.8 and 5.9 only bug as 5.10 has not yet shipped. https://bugzilla.redhat.com/show_bug.cgi?id=1576129 (5.10 - ON_QA) https://bugzilla.redhat.com/show_bug.cgi?id=1583710 (5.9 - Verified, in 5.9.3.1, not shipped, hotfix provided for 5.9.2 and follow up issue from customer was reported after using the hotfix) https://bugzilla.redhat.com/show_bug.cgi?id=1583711 (shipped in 5.8.4.4)
Please assess the impact of this issue and update the severity accordingly. Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition. If it's something like a tracker bug where it doesn't matter, please set the severity to Low.
https://github.com/ManageIQ/manageiq/pull/17656
New commit detected on ManageIQ/manageiq/master: https://github.com/ManageIQ/manageiq/commit/f8c05532cf654cff8e39bded83c25af8fbec281c commit f8c05532cf654cff8e39bded83c25af8fbec281c Author: Joe Rafaniello <jrafanie> AuthorDate: Fri Jun 29 10:59:11 2018 -0400 Commit: Joe Rafaniello <jrafanie> CommitDate: Fri Jun 29 10:59:11 2018 -0400 Remove Request taggable and prevent tag filtering MiqRequest was changed to allow ownership for self service and limited self-service users in ManageIQ #17208, BZ #1545395 This caused a problem if you had tag filters assign to a user's group undefined method `find_tags_by_grouping'. This was fixed in ManageIQ #17466, BZ #1576129, and shipped with: Fine: BZ #1583711 Gaprindindashvili: BZ #1583710 Unfortunately, this second fix to add taggable caused a new bug: users in groups having tag filters could not see their own requests. This commit changes MiqRequest to no longer be taggable, since it's not even taggable in the UI and instead, we add MiqRequest to a list of models that are RBAC'able but not taggable so we don't try to filter MiqRequest based on a user's group tag filters. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. To test this, simply assign managed filters to a user's group, such as /managed/environments/production, create a request for that user and try to see that user's request. They couldn't see it if they received the intermediate fix, #17466, or if they didn't receive that fix, they'd receive the `find_tags_by_grouping` error shown above. For gaprindashvili and fine: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738 For hammer: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129 app/models/miq_request.rb | 2 - lib/rbac/filterer.rb | 2 +- spec/lib/rbac/filterer_spec.rb | 41 + 3 files changed, 42 insertions(+), 3 deletions(-)
Requests are visible to user belonging to a group that is tagged. Verified in 5.10.0.3.20180705151325_ce4d2b5