Plugins » Katello

I just upgraded our Katello 2.2 environment to the latest Katello 2.4 RC.
After this update one of our roles doen't work correctly any more.

We've got a role which contains the filter 'view_content_hosts'.
When a user with this role tries to navigate to Host -> Content Hosts a 403 permission denied error occurs.

Here's the Foreman production.log:

2015-12-10 12:17:58 [app] [I] 
 | 
 | Started GET "/select_organization?toState=%2Fcontent_hosts" for 10.99.0.123 at 2015-12-10 12:17:58 +0100
2015-12-10 12:17:58 [app] [I] Processing by Bastion::BastionController#index as HTML
2015-12-10 12:17:58 [app] [I]   Parameters: {"toState"=>"/content_hosts", "bastion_page"=>"select_organization"}
2015-12-10 12:17:58 [app] [I]   Rendered home/_user_dropdown.html.erb (4.1ms)
2015-12-10 12:17:58 [app] [I] Read fragment views/tabs_and_title_records-15 (0.1ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_organization_dropdown.html.erb (5.3ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_location_dropdown.html.erb (3.2ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_org_switcher.html.erb (9.4ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_submenu.html.erb (1.9ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_submenu.html.erb (1.5ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_submenu.html.erb (1.3ms)
2015-12-10 12:17:58 [app] [I] Write fragment views/tabs_and_title_records-15 (1.2ms)
2015-12-10 12:17:58 [app] [I]   Rendered home/_topbar.html.erb (31.2ms)
2015-12-10 12:17:58 [app] [I]   Rendered layouts/base.html.erb (32.7ms)
2015-12-10 12:17:58 [app] [I]   Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/bastion-2.0.3/app/views/bastion/layouts/application.html.erb (45.7ms)
2015-12-10 12:17:58 [app] [I] Completed 200 OK in 62ms (Views: 41.9ms | ActiveRecord: 7.1ms)
2015-12-10 12:17:59 [app] [I] 
 | 
 | Started GET "/organizations/views/organization-selector.html" for 10.99.0.123 at 2015-12-10 12:17:59 +0100
2015-12-10 12:17:59 [app] [I] 
 | 
 | Started GET "/katello/403" for 10.99.0.123 at 2015-12-10 12:17:59 +0100
2015-12-10 12:17:59 [app] [I] Processing by Katello::ApplicationController#permission_denied as HTML
2015-12-10 12:17:59 [app] [I] Completed 500 Internal Server Error in 22ms
2015-12-10 12:17:59 [app] [F] 
 | ActionView::MissingTemplate (Missing template katello/common/403 with {:locale=>[:en], :formats=>[:html], :handlers=>[:erb, :builder, :rabl]}. Searched in:
 |   * "/usr/share/foreman/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_discovery-4.1.2/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/katello-2.4.0.rc3/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_bootdisk-6.0.0/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman-tasks-0.7.6/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/bastion-2.0.3/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/foreman_docker-1.4.1/app/views" 
 |   * "/opt/theforeman/tfm/root/usr/share/gems/gems/apipie-rails-0.2.6/app/views" 
 | ):
 |   katello (2.4.0.rc3) app/controllers/katello/application_controller.rb:290:in `block (2 levels) in render_403'
 |   katello (2.4.0.rc3) app/controllers/katello/application_controller.rb:289:in `render_403'
 |   app/controllers/application_controller.rb:62:in `deny_access'
 |   app/controllers/application_controller.rb:54:in `authorize'
 |   lib/middleware/catch_json_parse_errors.rb:9:in `call'
 | 
 | 

During further experimenting with this role I found out that by adding the filter called 'view_organizations' the 403 can be prevented.
However, opening the Content Hosts page still doesn't work with it. With this filter set I get the Select Organization page (instead of the 403)
but once I select an organization I get redirected back to the same Select Organization page instead of the Content Hosts page.
When I then navigate to a different Foreman page I get the notification 'Organization you had selected as your context has been deleted.'

Another thing I noticed is that the Context button in the top left side of the webinterface doesn't show any organization or location (just empty lists) when using this role.