Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 788008

Summary: SecurityViolation error while accessing system Errata/status
Product: Red Hat Satellite Reporter: Sachin Ghai <sghai>
Component: WebUIAssignee: Tom McKay <tomckay>
Status: CLOSED CURRENTRELEASE QA Contact: Katello QA List <katello-qa-list>
Severity: high Docs Contact:
Priority: high    
Version: 6.0.0CC: bkearney, cwelton, jturner, mmccune, tomckay
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-22 18:25:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Clicking on drop down list box raised security voilation error
none
Complete error log from production.log none

Description Sachin Ghai 2012-02-07 08:24:57 UTC 
Description of problem:

While selecting the dropdown listing of errata display under system tab, i got following error in production.log
----
Started GET "/katello/systems/1/errata/status?_=1328599005455" for 10.65.193.48 at Tue Feb 07 07:21:22 -0500 2012
  Processing by SystemErrataController#status as JSON
  Parameters: {"system_id"=>"1", "_"=>"1328599005455"}
User reader is not allowed to access system_errata/status
User reader is not allowed to access system_errata/status
#<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>
/usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
----

Version-Release number of selected component (if applicable):
katello-0.1.211-2.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. Register a system using admin user
2. Create a read only user 'reader' with 'Read Everything' role
3. login with reader
4. Under systems tab ==> select system ==> on right pane, select 'Errata'
5. Click on drop down list box
  
Actual results:
#<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>

Expected results:
No backtrace should be there in production.log instead of this UI should raise a
permission denied message if read only user is not allowed access system errata.


Additional info:
Comment 1 Sachin Ghai 2012-02-07 08:27:20 UTC 
Created attachment 559868 [details]
Clicking on drop down list box raised security voilation error
Comment 2 Sachin Ghai 2012-02-07 08:28:11 UTC 
Created attachment 559869 [details]
Complete error log from production.log
Comment 4 Tom McKay 2012-03-01 21:24:56 UTC 
Tested and unable to reproduce.

Please re-test in version being built today.
Comment 5 Sachin Ghai 2012-03-06 06:34:26 UTC 
It is still reproducible.

---
[ERROR: 2012-03-06 11:55:15 #27366] User reader is not allowed to access system_errata/status
[ERROR: 2012-03-06 11:55:15 #27366] User reader is not allowed to access system_errata/status
[ERROR: 2012-03-06 11:55:15 #27366] #<Errors::SecurityViolation: User reader is not allowed to access system_errata/status>
[ERROR: 2012-03-06 11:55:15 #27366] /usr/share/katello/lib/authorization_rules.rb:31:in `authorize'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:458:in `_run__625565855__process_action__1696389161__callbacks'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:221:in `_conditional_callback_around_2775'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/share/katello/lib/util/threadsession.rb:79:in `thread_locals'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:220:in `_conditional_callback_around_2775'
[ERROR: 2012-03-06 11:55:15 #27366] /usr/lib/ruby/gems/1.8/gems/activesupport-3.0.10/lib/active_support/callbacks.rb:451:in `_run__625565855__process_action__1696389161__callbacks'
[
---

I tested this today with following builds:

[root@perceptor ~]# rpm -qa | grep -ie pulp-1 -ie katello-0
pulp-1.0.0-2.el6.noarch
katello-0.2.5-1.el6.noarch


Steps to reproduce.

1. Login with admin user
2. Register a system using rhsm
3. Create a read only user reader and assign 'Read Everything' role
4. Login with 'reader'
5. Go to systems tab ==> select the system ==> errata
6. check production.log
Comment 6 Tom McKay 2012-03-06 14:33:27 UTC 
Confirmed. I missed the message in the log since the UI behaves normally.
Comment 7 Tom McKay 2012-03-06 15:35:24 UTC 
commit 570877cfd57721f946d0504bd1c6aa57d2ab47d5
Author: Tom McKay <thomasmckay>
Date:   Tue Mar 6 10:34:21 2012 -0500

    788008 - do not attempt to poll errata status when user does not have edit permission
Comment 10 Corey Welton 2012-03-07 21:35:35 UTC 
Verified in brew build fixed in compose 0.1.303-1.el6