Bug #12762
closedRole with filter view_content_hosts gives 403 error because organization could not be selected
Description
I just upgraded our Katello 2.2 environment to the latest Katello 2.4 RC.
After this update one of our roles doen't work correctly any more.
We've got a role which contains the filter 'view_content_hosts'.
When a user with this role tries to navigate to Host -> Content Hosts a 403 permission denied error occurs.
Here's the Foreman production.log:
2015-12-10 12:17:58 [app] [I] | | Started GET "/select_organization?toState=%2Fcontent_hosts" for 10.99.0.123 at 2015-12-10 12:17:58 +0100 2015-12-10 12:17:58 [app] [I] Processing by Bastion::BastionController#index as HTML 2015-12-10 12:17:58 [app] [I] Parameters: {"toState"=>"/content_hosts", "bastion_page"=>"select_organization"} 2015-12-10 12:17:58 [app] [I] Rendered home/_user_dropdown.html.erb (4.1ms) 2015-12-10 12:17:58 [app] [I] Read fragment views/tabs_and_title_records-15 (0.1ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_organization_dropdown.html.erb (5.3ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_location_dropdown.html.erb (3.2ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_org_switcher.html.erb (9.4ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_submenu.html.erb (1.9ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_submenu.html.erb (1.5ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_submenu.html.erb (1.3ms) 2015-12-10 12:17:58 [app] [I] Write fragment views/tabs_and_title_records-15 (1.2ms) 2015-12-10 12:17:58 [app] [I] Rendered home/_topbar.html.erb (31.2ms) 2015-12-10 12:17:58 [app] [I] Rendered layouts/base.html.erb (32.7ms) 2015-12-10 12:17:58 [app] [I] Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/bastion-2.0.3/app/views/bastion/layouts/application.html.erb (45.7ms) 2015-12-10 12:17:58 [app] [I] Completed 200 OK in 62ms (Views: 41.9ms | ActiveRecord: 7.1ms) 2015-12-10 12:17:59 [app] [I] | | Started GET "/organizations/views/organization-selector.html" for 10.99.0.123 at 2015-12-10 12:17:59 +0100 2015-12-10 12:17:59 [app] [I] | | Started GET "/katello/403" for 10.99.0.123 at 2015-12-10 12:17:59 +0100 2015-12-10 12:17:59 [app] [I] Processing by Katello::ApplicationController#permission_denied as HTML 2015-12-10 12:17:59 [app] [I] Completed 500 Internal Server Error in 22ms 2015-12-10 12:17:59 [app] [F] | ActionView::MissingTemplate (Missing template katello/common/403 with {:locale=>[:en], :formats=>[:html], :handlers=>[:erb, :builder, :rabl]}. Searched in: | * "/usr/share/foreman/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-4.1.2/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/katello-2.4.0.rc3/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_bootdisk-6.0.0/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman-tasks-0.7.6/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/bastion-2.0.3/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_docker-1.4.1/app/views" | * "/opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.2.6/app/views" | ): | katello (2.4.0.rc3) app/controllers/katello/application_controller.rb:290:in `block (2 levels) in render_403' | katello (2.4.0.rc3) app/controllers/katello/application_controller.rb:289:in `render_403' | app/controllers/application_controller.rb:62:in `deny_access' | app/controllers/application_controller.rb:54:in `authorize' | lib/middleware/catch_json_parse_errors.rb:9:in `call' | |
During further experimenting with this role I found out that by adding the filter called 'view_organizations' the 403 can be prevented.
However, opening the Content Hosts page still doesn't work with it. With this filter set I get the Select Organization page (instead of the 403)
but once I select an organization I get redirected back to the same Select Organization page instead of the Content Hosts page.
When I then navigate to a different Foreman page I get the notification 'Organization you had selected as your context has been deleted.'
Another thing I noticed is that the Context button in the top left side of the webinterface doesn't show any organization or location (just empty lists) when using this role.
Updated by Eric Helms almost 9 years ago
- Translation missing: en.field_release set to 86
- Triaged changed from No to Yes
Updated by Eric Helms almost 9 years ago
- Status changed from New to Resolved
Content hosts have been reworked to be more tightly integrated with hosts and the permissions have been ported over as well.