Bug 1757394 - [BUG] Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via Satellite 6 API
Summary: [BUG] Non-admin users always get "Missing one of the required permissions" me...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Users & Roles
Version: 6.6.0
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: 6.8.0
Assignee: satellite6-bugs
QA Contact: Radovan Drazny
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-10-01 11:59 UTC by Sayan Das
Modified: 2020-10-19 13:53 UTC (History)
3 users (show)

Fixed In Version: foreman-2.0.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28405 Normal Closed Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences... 2020-06-25 08:37:36 UTC

Description Sayan Das 2019-10-01 11:59:36 UTC
Description of problem:

Non-Admin Users cannot access their own table_preferences via REST API, no matter what possible combination of roles has been assigned to them.

The same user will be able to access the table_preferences, when you mark the user as "ADMIN".

Version-Release number of selected component (if applicable):


How reproducible:
100 %

Steps to Reproduce:
1. Create a user "NA-USER" on Satellite GUI but don't mark it as Admin.

2. Try to access the API https://sat-fqdn/api/users/:id/table_preferences where the ":id" is the ID of "NA-USER" and authentication is being done by the same user.

3. Assign all the Roles to the user "NA-USER" but don't mark it as "Admin" and then try accessing the API again.


Actual results:
In both step 2 and 3, the REST api will return.
~~~~~~~~~~~~
{
    "error": {
        "message": "Access denied",
        "details": "Missing one of the required permissions: "
    }
}
~~~~~~~~~~~~


Expected results:
It should display the table_preferences without throwing any error.


Additional info:
If I mark the same user as Admin, it will be able to execute the API successfully and will be able to see the result as well.

I went through the discussion "https://community.theforeman.org/t/user-preferences/12007/4", but unable to get any pointers from the same which might help me to understand what might be the problem here.

Comment 4 Dominik Matoulek 2019-12-03 14:15:44 UTC
Created redmine issue https://projects.theforeman.org/issues/28405 from this bug

Comment 5 Bryan Kearney 2020-01-17 17:02:20 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28405 has been resolved.

Comment 6 Radovan Drazny 2020-06-25 14:33:08 UTC
Tested on Sat 6.8 Snap 5.

$ hammer user list --organization-id 1
---|-------|------------|------------------------------|-------|---------------------|--------------
ID | LOGIN | NAME       | EMAIL                        | ADMIN | LAST LOGIN          | AUTHORIZED BY
---|-------|------------|------------------------------|-------|---------------------|--------------
5  | raduz |            | raduz@localhost              | no    | 2020/06/25 14:22:56 | Internal     
4  | admin | Admin User | root@vms.sat.rdu2.redhat.com | yes   | 2020/06/25 14:26:25 | Internal     
---|-------|------------|------------------------------|-------|---------------------|--------------

-----
On a client

Accessing table_preferences for the correct user

$ curl -ku admin:changeme https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/4/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   151    0   151    0     0    162      0 --:--:-- --:--:-- --:--:--   162
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "search": null,
    "sort": {
        "by": null,
        "order": null
    },
    "results": [

    ]
}


Accessing table_preferences for an incorrect (different) user

$ curl -ku admin:changeme https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/5/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   140    0   140    0     0    159      0 --:--:-- --:--:-- --:--:--   158
{
    "error": {
        "message": "Access denied",
        "details": "You are trying access the preferences of a different user",
        "missing_permissions": null
    }
}


Accessing table_preferences for a correct user without the admin flag

$ curl -ku raduz:nimda https://dhcp-3-238.vms.sat.rdu2.redhat.com/api/users/5/table_preferences | json_reformat
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   151    0   151    0     0    170      0 --:--:-- --:--:-- --:--:--   170
{
    "total": 0,
    "subtotal": 0,
    "page": 1,
    "per_page": 20,
    "search": null,
    "sort": {
        "by": null,
        "order": null
    },
    "results": [

    ]
}


Note You need to log in before you can comment on or make changes to this bug.