Marek Hulan <mhulan> reports: Hello, today it was discovered a community member (Daniel Lobato) that users can manage hosts via API even when they shouldn't have access to them (works right in UI). The app/controllers/api/v1/hosts_controller.rb does not honor user privileges at all.
http://projects.theforeman.org/issues/2863
Acknowledgements: Red Hat would like to thank Daniel Lobato of CERN IT-PES-PS for reporting this issue.
Fixed in upstream http://projects.theforeman.org/projects/foreman/repository/revisions/ce13ab5d1197c128acccd0725c06a2526e19b4ac
sorry I should probably not change the Status
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2013:1196 https://rhn.redhat.com/errata/RHSA-2013-1196.html