Bug 1787147 - An admin cannot GET subscription/manifest uploaded in org created by another admin
Summary: An admin cannot GET subscription/manifest uploaded in org created by another ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Subscription Management
Version: 6.7.0
Hardware: Unspecified
OS: Unspecified
unspecified
high vote
Target Milestone: 6.7.0
Assignee: satellite6-bugs
QA Contact: jcallaha
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-31 14:45 UTC by Jitendra Yejare
Modified: 2020-04-14 13:28 UTC (History)
3 users (show)

Fixed In Version: tfm-rubygem-katello-3.14.0.10-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-14 13:28:12 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28751 Normal Closed An admin cannot GET subscription/manifest uploaded in org created by another admin 2020-03-18 23:31:37 UTC
Github Katello katello pull 8520 None closed Fixes #28751 - Allow admin users to access subscriptions from all organizations 2020-03-18 23:31:37 UTC
Red Hat Product Errata RHSA-2020:1454 None None None 2020-04-14 13:28:22 UTC

Description Jitendra Yejare 2019-12-31 14:45:21 UTC
Description of problem:
An Admin cannot access / GET subscription uploaded by him in org, where the org is created by another admin.

Version-Release number of selected component (if applicable):
Satellite 6.7 snap 7

How reproducible:
Always

Steps to Reproduce:
1. Create an Admin user from SuperAdmin.
2. Create an org using the new Admin user.
3. Using SuperAdmin. Upload the manifest with some subscription in org created by an admin user.
4. Attempt to API GET the subscription from SuperAdmin or new Admin.

Actual results:
The GET request fails with error:
"
"errors":["This subscription is not relevant to the current user and organization."

Expected results:
Admins should be able to access the subscriptions created by another admin or in org created by another admin.

Additional info:

Comment 3 Brad Buckingham 2020-01-07 14:21:51 UTC
Hi Jitendra, is this a regression from previous release?

Comment 4 Jitendra Yejare 2020-01-09 15:55:57 UTC
Hello Brad, The bug is not reproducible on Satellite 6.6. So its a regression.

Comment 6 Jeremy 2020-01-14 20:57:57 UTC
Created redmine issue https://projects.theforeman.org/issues/28751 from this bug

Comment 7 Jeremy 2020-01-16 20:18:33 UTC
Hi Jitendra,

I'm able to reproduce the issue when using the endpoint GET subscriptions/:id.

However, using GET organizations/:id/subscriptions/:id may work around the issue.  (that's what the web UI does.)

Which API endpoint are you using to make the request?  Would using the endpoint above be a viable workaround?

Comment 8 Jitendra Yejare 2020-01-17 14:54:13 UTC
Hey Jeremy,

Yes, I am using the same endpoint with which you could repro the issue: katello/api/v2/subscriptions

I think the workaround is viable and we can all-together remove the katello/api/v2/subscriptions that has nothing to do with org.

Comment 9 Bryan Kearney 2020-01-22 17:04:30 UTC
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28751 has been resolved.

Comment 10 Stephen Wadeley 2020-01-29 20:45:48 UTC

see also
Bug 1774953 - GET katello/api/v2/subscriptions/:id always fails with error: This subscription is not relevant to the current organization

Comment 12 jcallaha 2020-02-12 17:32:09 UTC
Verified in Satellite 6.7 Beta

Followed the reproducer steps and was able to pull the subscriptions from the other organization, when querying as the admin user.


-bash-4.2# curl -u admin:changeme https://$(hostname)/katello/api/organizations/24/subscriptions
{"organization":{},"total":2,"subtotal":2,"page":1,"per_page":20,"error":null,"search":null,"sort":{"by":"name","order":"asc"},"results":
... 
Platforms","unmapped_guest":false,"virt_only":false,"virt_who":false,"upstream":true,"upstream_pool_id":"_______________"}]}
 
-bash-4.2# curl -u admin:changeme https://$(hostname)/katello/api/subscriptions
{"organization":{},"total":4,"subtotal":4,"page":1,"per_page":20,"error":null,"search":null,"sort":{"by":"name","order":"asc"},"results":
...
tools","unmapped_guest":false,"virt_only":false,"virt_who":false,"upstream":false,"upstream_pool_id":null}]}

-bash-4.2# curl -u admin:changeme https://$(hostname)/katello/api/v2/subscriptions
{"organization":{},"total":4,"subtotal":4,"page":1,"per_page":20,"error":null,"search":null,"sort":{"by":"name","order":"asc"},"results":
...
tools","unmapped_guest":false,"virt_only":false,"virt_who":false,"upstream":false,"upstream_pool_id":null}]}

Comment 15 errata-xmlrpc 2020-04-14 13:28:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1454


Note You need to log in before you can comment on or make changes to this bug.