A user who has no roles or permissions can still view task's details both through the web UI and through api, if the user knows the UUID of the task.
This was introduced in foreman-tasks@79a0e2cb5, before this commit tasks were looked up through find_resource which performed authorization checks. After this change, permissions are bypassed.
This has been fixed upstream in https://github.com/theforeman/foreman-tasks/commit/3104a46cf669ae62f9034e9547cb93cc03384cd9.
This issue has been addressed in the following products:
Red Hat Satellite 6.6 for RHEL 7
Via RHSA-2019:3172 https://access.redhat.com/errata/RHSA-2019:3172
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):