Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1853681 - User without generate_foreman_rh_cloud permission can try to generate report
Summary: User without generate_foreman_rh_cloud permission can try to generate report
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: RH Cloud - Inventory
Version: 6.8.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: 6.9.0
Assignee: Shimon Shtein
QA Contact: Jameer Pathan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-07-03 14:34 UTC by Mirek Długosz
Modified: 2021-04-21 13:17 UTC (History)
1 user (show)

Fixed In Version: 2.0.13
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-04-21 13:15:01 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:1313 0 None None None 2021-04-21 13:17:10 UTC

Description Mirek Długosz 2020-07-03 14:34:10 UTC 
User without "generate_foreman_rh_cloud" permission can still try to generate report, and won't be informed about missing permission. Depending on how much user is aware of his limited permissions, it may lead to user thinking that plugin is not working.


steps:
1. create user with view_foreman_rh_cloud, but without generate_foreman_rh_cloud permission
2. login as that user and open RH Cloud - Inventory page
3. click "Restart" to force regeneration of report


Actual:
Nothing visible happens. For around a second, it looks like report is being generated (there's "loading" circle visible")
In web tools, I can see that POST to /foreman_inventory_upload/:id/reports returned 403 http code. Response contains HTML instead of JSON


Expected:
Disable "Restart" button, so users can't get themselves in this situation.
Or handle 403 code returned by service and display error message to user.


Found on:
Satellite 6.8.0 snap 7
foreman-2.1.0-0.22.rc3.el7sat.noarch
pulp-server-2.21.2-1.el7sat.noarch
katello-3.16.0-0.3.rc3.el7sat.noarch
satellite-6.8.0-0.6.beta.el7sat.noarch
tfm-rubygem-foreman_rh_cloud-2.0.8-1.el7sat.noarch
Comment 3 Brad Buckingham 2021-01-08 20:59:54 UTC 
Early Satellite 6.9 snap includes tfm-rubygem-foreman_rh_cloud-1.0.12-1.el7sat.noarch.rpm.  Since it appears that this is already included, aligning to release and updating state.
Comment 4 Jameer Pathan 2021-01-29 14:23:29 UTC 
Verified

Verified with:
- Satellite 6.9.0 snap 11
- tfm-rubygem-foreman_rh_cloud-3.0.14-1.el7sat.noarch
- foreman-2.3.1.4-1.el7sat.noarch
- katello-3.18.1-1.el7sat.noarch
- pulp-server-2.21.4-2.el7sat.noarch

Test steps:

1. Create a Role having view_foreman_rh_cloud permission only.
2. Create a user and assign the Role created to it.
3. login as that user and open RH Cloud - Inventory page
4. click "Restart" to force regeneration of report

Observation:
-"Request failed with status code 403" error message on Satellite UI.
Comment 7 errata-xmlrpc 2021-04-21 13:15:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: Satellite 6.9 Release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1313
Note You need to log in before you can comment on or make changes to this bug.