Project

General

Profile

Bug #14000

Non-admin user receives permissions error on config_templates API

Added by Dominic Cleal over 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authorization
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When using a non-admin user account to access /api/v2/config_templates/1 or any non-index action, the user receives a 404 response due to failing permissions.

2016-03-02T08:44:44 [app] [I] Started GET "/api/v2/config_templates/1" for 127.0.0.1 at 2016-03-02 08:44:44 +0000
2016-03-02T08:44:44 [app] [I] Processing by Api::V2::ConfigTemplatesController#show as JSON
2016-03-02T08:44:44 [app] [I]   Parameters: {"apiv"=>"v2", "id"=>"1"}
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   AuthSource Load (0.2ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = ? LIMIT 1  [["id", 1]]
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = '13920test' LIMIT 1
2016-03-02T08:44:44 [sql] [D] Authenticated user 13920test against INTERNAL authentication source
2016-03-02T08:44:44 [sql] [D]   User Load (0.2ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [sql] [D] Post-login processing for 13920test
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "users".* FROM "users"  WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  begin transaction
2016-03-02T08:44:44 [sql] [D]   SQL (0.3ms)  UPDATE "users" SET "last_login_on" = ?, "updated_at" = ? WHERE "users"."id" = 58  [["last_login_on", "2016-03-02 08:44:44.488791"], ["updated_at", "2016-03-02 08:44:44.489481"]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]    (0.0ms)  SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User'  [["owner_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (14.4ms)  commit transaction
2016-03-02T08:44:44 [sql] [D]   CACHE (0.0ms)  SELECT  "roles".* FROM "roles"  WHERE "roles"."name" = 'Anonymous' LIMIT 1
2016-03-02T08:44:44 [sql] [D]   Role Exists (0.1ms)  SELECT  1 AS one FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User' AND "roles"."id" = 8 LIMIT 1  [["owner_id", 58]]
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT auth_sources.id FROM "auth_sources"  WHERE "auth_sources"."type" IN ('AuthSourceHidden')
2016-03-02T08:44:44 [sql] [D]   User Load (0.1ms)  SELECT  "users".* FROM "users"  WHERE ("users"."auth_source_id" NOT IN (7)) AND "users"."lower_login" = '13920test'  ORDER BY firstname LIMIT 1
2016-03-02T08:44:44 [app] [I] Authorized user 13920test(13920 test)
2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test
2016-03-02T08:44:44 [sql] [D]   Usergroup Load (0.1ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = ?  ORDER BY usergroups.name  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]   Role Load (0.1ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ?  [["user_id", 58]]
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ?  ORDER BY filters.role_id, filters.id  [["role_id", 37]]
2016-03-02T08:44:44 [app] [W] DEPRECATION WARNING: Your API call uses deprecated behavior, The resources /config_templates were moved to /provisioning_templates. Please use the new path instead. (called from deprecated at /home/dcleal/code/foreman/foreman/app/controllers/api/v2/config_templates_controller.rb:122)
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
2016-03-02T08:44:44 [sql] [D]   Filter Load (0.2ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filters"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'ProvisioningTemplate') AND (permissions.name = 'view_config_templates')  ORDER BY filters.role_id, filters.id  [["user_id", 58]]
2016-03-02T08:44:44 [permissions] [D] 
2016-03-02T08:44:44 [permissions] [D] no filters found for given permission
2016-03-02T08:44:44 [sql] [D]    (0.1ms)  SELECT COUNT(*) FROM "templates"  WHERE (1=0) AND "templates"."type" IN ('ProvisioningTemplate')
2016-03-02T08:44:44 [app] [I] ActiveRecord::RecordNotFound (ActiveRecord::RecordNotFound)
2016-03-02T08:44:44 [app] [I]   Rendered api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout (0.7ms)
2016-03-02T08:44:44 [app] [I] Completed 404 Not Found in 45ms (Views: 3.4ms | ActiveRecord: 16.4ms)

The key part of the log is:

2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates

The controller_permission method in the config templates API controller which should force it to check provisioning_templates permissions isn't being taken into account.

It looks like the support for controller_permission from #9687 regressed in #8343.


Related issues

Related to Foreman - Bug #9687: Provisioning Template Roles: view_template, edit_template doesn't render on 1.7.3 for non-adminClosed2015-03-09
Related to Foreman - Bug #8343: API resource_scope ignores optionsClosed2014-11-11

Associated revisions

Revision f05b9307 (diff)
Added by Dominic Cleal over 3 years ago

fixes #14000 - respect custom controller permissions

Allows controller_permission method to override the permission suffix
used in resource_scope, originally from a63aa7c and removed in bb39df2.

Revision a7bc5264 (diff)
Added by Dominic Cleal over 3 years ago

fixes #14000 - respect custom controller permissions

Allows controller_permission method to override the permission suffix
used in resource_scope, originally from a63aa7c and removed in bb39df2.

(cherry picked from commit f05b9307fe36d877364b0ee5bee7212c3315c97e)

Revision 614f6ef1 (diff)
Added by Dominic Cleal over 3 years ago

fixes #14000 - respect custom controller permissions

Allows controller_permission method to override the permission suffix
used in resource_scope, originally from a63aa7c and removed in bb39df2.

(cherry picked from commit f05b9307fe36d877364b0ee5bee7212c3315c97e)

History

#1 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #9687: Provisioning Template Roles: view_template, edit_template doesn't render on 1.7.3 for non-admin added

#2 Updated by Dominic Cleal over 3 years ago

  • Related to Bug #8343: API resource_scope ignores options added

#3 Updated by The Foreman Bot over 3 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3267 added

#4 Updated by Dominic Cleal over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#5 Updated by Bryan Kearney over 3 years ago

  • Bugzilla link set to 1326031

Also available in: Atom PDF