I applied this and restarted httpd (using passenger) and as far as I can tell this made no difference in the behavior. It still just flips me back from the "Smart Variables" to the "Puppet Class" tab and refuses to save.

Jason,

You're right. Why change had no effect, since I previously overrode enforce_permissions in lookup_value.rb (the class for smart variables)

The non-admin has permission if the fqdn matches or the hostgroup matches.

when /^fqdn=(.*)/
  # check if current fqdn is in our allowed list
        Host.my_hosts.where(:name => $1).exists?
      when /^hostgroup=(.*)/
  # check if current hostgroup is in our allowed list
        Hostgroup.my_groups.where(:label => $1).exists?

Does the smart variable that you trying to create have a matcher on fqdn or hostgroup?

I just edited a host in my 1.2 test setup and added a parameter to make sure I had access to edit it and I do.

I then went to create a smart variable with a matcher rule for the fqdn of the same host. It did not save, as has been the case.

When I went to edit the Value of an already existing smart variable that matches fqdn=<host> it told me "You do not have permission to edit this lookupkey"

In the production 1.1 system we originally found this problem in the match rule was very specific, for a single host which was created by the user trying to create the smart variable.

Also, since there is a default value, which will apply to any host with the class, regardless of the match rule/value parameter how is the permission taken care of for this (my thought was that it would be possible to allow a user to edit smart variables/parameters globally or even on a per environment or puppet class level down the road...)

Jason,

I think it may be due to the setup in roles/permissions. Go to http://yourdomain/roles/report

Btw, Redmine is not sending me e-mail notifications even the setting is set. Can you email me at jmagen@redhat.com so I can respond quicker.

Creating Smart Variables or Smart Class Parameters adds a record to the lookup_keys table in the database.
Overriding values based on a matcher adds a record to the lookup_values table in the database

If you look at lib/foreman/access_permissions.rb, there is different roles for managing lookup_keys verses lookup_valuse

To create, update, or destroy a Smart Variable (lookup_key), you need the role of Edit Puppetclasses
To create, update, or destroy a Overridden Value (lookup_value), you need the role of Create/Edit/Destroy External Variables

map.permission :edit_puppetclasses,    {:puppetclasses => [:edit, :update],
                                          :"api/v1/puppetclasses" => [:update],
                                          :"api/v2/puppetclasses" => [:update],
                                          :"lookup_keys" => [:create, :update, :destroy],
                                          :"api/v1/lookup_keys" => [:create, :update, :destroy],
                                          :"api/v2/lookup_keys" => [:create, :update, :destroy]

map.security_block :external_variables do |map|
    map.permission :view_external_variables,    {:lookup_keys => [:index, :show, :auto_complete_search],
                                                 :lookup_values => [:index]}
    map.permission :create_external_variables,  {:lookup_keys => [:new, :create],
                                                 :lookup_values => [:create]}
    map.permission :edit_external_variables,    {:lookup_keys => [:edit, :update],
                                                 :lookup_values => [:create, :update, :destroy]}
    map.permission :destroy_external_variables, {:lookup_keys => [:destroy],
                                                 :lookup_values => [:destroy]}
  end

I went one further over the weekend and applied every permission available in the role (used check all and verified everything was checked before submitting) and went back as the user and tried again. I am still unable to create a smart variable as the user.

Even before that I had the all of the puppet classes and external variables permissions applied, save for import puppet classes.

I should also add that I have Orgs and Locs enabled, in case that makes a difference...

The other interesting thing, is that I still cannot go in and add a matcher-value if I got into More>Configuration>Puppet Classes and try to edit a Smart Class Parameter or Smart Variable and add fqdb=<host>. But if I go and edit the same host and override the value on the host it works fine and even shows up as a Match on the parameter afterward.

Jason, what is the error? Can you attache or pastie a log file. I'm at a lost, since when I logged in as a non-admin, I can create/edit smart variables???

Hi Jason, I found the error together with Amos. Check it out.
https://github.com/theforeman/foreman/pull/728

I think I mentioned it over irc, but the pull in the previous comment appears to fix this.