Bug 1639387 - User with View My Tasks permission can see other users tasks via API
Summary: User with View My Tasks permission can see other users tasks via API
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: API
Version: 5.9.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: GA
: 5.11.0
Assignee: Joe Vlcek
QA Contact: Sudhir Mallamprabhakara
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-15 15:29 UTC by Antonin Pagac
Modified: 2019-12-12 13:34 UTC (History)
5 users (show)

Fixed In Version: 5.11.0.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-12 13:34:23 UTC
Category: ---
Cloudforms Team: CFME Core
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4199 0 None None None 2019-12-12 13:34:40 UTC

Description Antonin Pagac 2018-10-15 15:29:47 UTC 
Description of problem:
User with product feature Settings -> Tasks -> View -> My Tasks can view only his tasks via UI, but can see other users tasks via API.

Version-Release number of selected component (if applicable):
5.9.5.1
5.10.0.19

How reproducible:
Always

Steps to Reproduce:
1. Create a user with Settings -> Tasks -> View -> My Tasks (but not All Tasks), for example EvmRole-support
2. Navigate to Tasks via UI, verify you can see only "My Tasks"
3. Query API with the user

Actual results:
User can see all tasks, not created by him only

Expected results:
User should see only his tasks

Additional info:
API query example:
curl -k "https://<username>:<password>@<IP>/api/tasks/"
Comment 2 CFME Bot 2018-12-13 21:39:00 UTC 
https://github.com/ManageIQ/manageiq-api/pull/526
Comment 3 CFME Bot 2018-12-20 19:05:37 UTC 
https://github.com/ManageIQ/manageiq/pull/18311
Comment 4 CFME Bot 2018-12-21 16:30:51 UTC 
New commit detected on ManageIQ/manageiq/master:

https://github.com/ManageIQ/manageiq/commit/485a2df11367f58dacd3e641ee8deb7ffdb53d57
commit 485a2df11367f58dacd3e641ee8deb7ffdb53d57
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Dec 20 13:53:34 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Dec 20 13:53:34 2018 -0500

    Ensure a users own tasks are the only ones returned when the users role has View/My Tasks

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387

 app/models/miq_product_feature.rb | 6 +-
 app/models/miq_user_role.rb | 4 +
 app/models/user.rb | 2 +-
 spec/models/miq_user_role_spec.rb | 16 +
 4 files changed, 25 insertions(+), 3 deletions(-)
Comment 5 CFME Bot 2018-12-21 22:37:34 UTC 
New commit detected on ManageIQ/manageiq-api/master:

https://github.com/ManageIQ/manageiq-api/commit/905f429b0cf01325031090812b2dd7992f42667b
commit 905f429b0cf01325031090812b2dd7992f42667b
Author:     Joe VLcek <jvlcek>
AuthorDate: Thu Dec 13 16:08:49 2018 -0500
Commit:     Joe VLcek <jvlcek>
CommitDate: Thu Dec 13 16:08:49 2018 -0500

    Ensure a users own tasks are the only ones returned when the users role has View/My Tasks

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387

 app/controllers/api/base_controller/renderer.rb | 12 +-
 app/controllers/api/tasks_controller.rb | 11 +
 spec/requests/tasks_spec.rb | 42 +-
 3 files changed, 55 insertions(+), 10 deletions(-)
Comment 6 Antonin Pagac 2019-04-29 11:49:35 UTC 
Verified with 5.11.0.1.
Comment 10 errata-xmlrpc 2019-12-12 13:34:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:4199
Note You need to log in before you can comment on or make changes to this bug.