Bug 1853681 - User without generate_foreman_rh_cloud permission can try to generate report
Summary: User without generate_foreman_rh_cloud permission can try to generate report
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: RH Cloud - Inventory
Version: 6.8.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: 6.9.0
Assignee: Shimon Shtein
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-03 14:34 UTC by Mirek Długosz
Modified: 2021-04-21 13:17 UTC (History)
1 user (show)

Fixed In Version: 2.0.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-21 13:15:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:1313 0 None None None 2021-04-21 13:17:10 UTC

Description Mirek Długosz 2020-07-03 14:34:10 UTC 
User without "generate_foreman_rh_cloud" permission can still try to generate report, and won't be informed about missing permission. Depending on how much user is aware of his limited permissions, it may lead to user thinking that plugin is not working.


steps:
1. create user with view_foreman_rh_cloud, but without generate_foreman_rh_cloud permission
2. login as that user and open RH Cloud - Inventory page
3. click "Restart" to force regeneration of report


Actual:
Nothing visible happens. For around a second, it looks like report is being generated (there's "loading" circle visible")
In web tools, I can see that POST to /foreman_inventory_upload/:id/reports returned 403 http code. Response contains HTML instead of JSON


Expected:
Disable "Restart" button, so users can't get themselves in this situation.
Or handle 403 code returned by service and display error message to user.


Found on:
Satellite 6.8.0 snap 7
foreman-2.1.0-0.22.rc3.el7sat.noarch
pulp-server-2.21.2-1.el7sat.noarch
katello-3.16.0-0.3.rc3.el7sat.noarch
satellite-6.8.0-0.6.beta.el7sat.noarch
tfm-rubygem-foreman_rh_cloud-2.0.8-1.el7sat.noarch
Comment 3 Brad Buckingham 2021-01-08 20:59:54 UTC 
Early Satellite 6.9 snap includes tfm-rubygem-foreman_rh_cloud-1.0.12-1.el7sat.noarch.rpm.  Since it appears that this is already included, aligning to release and updating state.
Comment 4 Jameer Pathan 2021-01-29 14:23:29 UTC 
Verified

Verified with:
- Satellite 6.9.0 snap 11
- tfm-rubygem-foreman_rh_cloud-3.0.14-1.el7sat.noarch
- foreman-2.3.1.4-1.el7sat.noarch
- katello-3.18.1-1.el7sat.noarch
- pulp-server-2.21.4-2.el7sat.noarch

Test steps:

1. Create a Role having view_foreman_rh_cloud permission only.
2. Create a user and assign the Role created to it.
3. login as that user and open RH Cloud - Inventory page
4. click "Restart" to force regeneration of report

Observation:
-"Request failed with status code 403" error message on Satellite UI.
Comment 7 errata-xmlrpc 2021-04-21 13:15:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313
Note You need to log in before you can comment on or make changes to this bug.