New commit detected on ManageIQ/manageiq-api/ivanchuk: https://github.com/ManageIQ/manageiq-api/commit/a27dbb8f115b1146d8d06e3b993a96d3cad9225b commit a27dbb8f115b1146d8d06e3b993a96d3cad9225b Author: Libor Pichler <lpichler> AuthorDate: Fri Oct 25 09:06:05 2019 -0400 Commit: Libor Pichler <lpichler> CommitDate: Fri Oct 25 09:06:05 2019 -0400 Merge pull request #692 from martinpovolny/hardening_collections Hardening collections (cherry picked from commit 2d7f6ce87fb3f2f4b796d6e87d962114679b00d4) Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1784102 config/api.yml | 15 + spec/lib/api/api_config_spec.rb | 10 + spec/requests/enterprises_spec.rb | 19 +- spec/requests/roles_spec.rb | 22 +- spec/requests/servers_spec.rb | 12 +- 5 files changed, 70 insertions(+), 8 deletions(-)
Hi Martin, what has changed with this enhancement? How do I test it?
FIXED. Verified on 5.11.2.0.20200113212029_18edbd8 on the basis of changes made by the PR(https://github.com/ManageIQ/manageiq-api/pull/692). To test these changes, I created 2 user - 1 with EvmRole-user role and another role that only had permission to API feature. 1. A user without enough permissions cannot access "servers" and "enterprises" collection which they were able to do earlier. 2. Apart from the whitelisted collections mentioned here(https://github.com/ManageIQ/manageiq-api/pull/692/files#diff-b6270c43055f4b35d1cf94f20311f0e0R19), I see other collections such as "custom_button_sets", "custom_buttons", "service_offerings", and "service_parameter_sets".
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0452