Actions
Bug #14000
closedNon-admin user receives permissions error on config_templates API
Status:
Closed
Priority:
Normal
Assignee:
Category:
Users, Roles and Permissions
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Description
When using a non-admin user account to access /api/v2/config_templates/1 or any non-index action, the user receives a 404 response due to failing permissions.
2016-03-02T08:44:44 [app] [I] Started GET "/api/v2/config_templates/1" for 127.0.0.1 at 2016-03-02 08:44:44 +0000 2016-03-02T08:44:44 [app] [I] Processing by Api::V2::ConfigTemplatesController#show as JSON 2016-03-02T08:44:44 [app] [I] Parameters: {"apiv"=>"v2", "id"=>"1"} 2016-03-02T08:44:44 [sql] [D] User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."lower_login" = '13920test' LIMIT 1 2016-03-02T08:44:44 [sql] [D] AuthSource Load (0.2ms) SELECT "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = ? LIMIT 1 [["id", 1]] 2016-03-02T08:44:44 [sql] [D] CACHE (0.0ms) SELECT "users".* FROM "users" WHERE "users"."lower_login" = '13920test' LIMIT 1 2016-03-02T08:44:44 [sql] [D] Authenticated user 13920test against INTERNAL authentication source 2016-03-02T08:44:44 [sql] [D] User Load (0.2ms) SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil 2016-03-02T08:44:44 [sql] [D] Post-login processing for 13920test 2016-03-02T08:44:44 [sql] [D] CACHE (0.0ms) SELECT "users".* FROM "users" WHERE "users"."lower_login" = 'foreman_admin' LIMIT 1 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to foreman_admin 2016-03-02T08:44:44 [sql] [D] (0.1ms) begin transaction 2016-03-02T08:44:44 [sql] [D] SQL (0.3ms) UPDATE "users" SET "last_login_on" = ?, "updated_at" = ? WHERE "users"."id" = 58 [["last_login_on", "2016-03-02 08:44:44.488791"], ["updated_at", "2016-03-02 08:44:44.489481"]] 2016-03-02T08:44:44 [sql] [D] Role Load (0.1ms) SELECT "roles".* FROM "roles" WHERE "roles"."name" = 'Anonymous' LIMIT 1 2016-03-02T08:44:44 [sql] [D] (0.0ms) SELECT "roles".id FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User' [["owner_id", 58]] 2016-03-02T08:44:44 [sql] [D] (14.4ms) commit transaction 2016-03-02T08:44:44 [sql] [D] CACHE (0.0ms) SELECT "roles".* FROM "roles" WHERE "roles"."name" = 'Anonymous' LIMIT 1 2016-03-02T08:44:44 [sql] [D] Role Exists (0.1ms) SELECT 1 AS one FROM "roles" INNER JOIN "user_roles" ON "roles"."id" = "user_roles"."role_id" WHERE "user_roles"."owner_id" = ? AND "user_roles"."owner_type" = 'User' AND "roles"."id" = 8 LIMIT 1 [["owner_id", 58]] 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to nil 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test 2016-03-02T08:44:44 [sql] [D] (0.1ms) SELECT auth_sources.id FROM "auth_sources" WHERE "auth_sources"."type" IN ('AuthSourceHidden') 2016-03-02T08:44:44 [sql] [D] User Load (0.1ms) SELECT "users".* FROM "users" WHERE ("users"."auth_source_id" NOT IN (7)) AND "users"."lower_login" = '13920test' ORDER BY firstname LIMIT 1 2016-03-02T08:44:44 [app] [I] Authorized user 13920test(13920 test) 2016-03-02T08:44:44 [app] [D] Setting current user thread-local variable to 13920test 2016-03-02T08:44:44 [sql] [D] Usergroup Load (0.1ms) SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = ? ORDER BY usergroups.name [["user_id", 58]] 2016-03-02T08:44:44 [sql] [D] Role Load (0.1ms) SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? [["user_id", 58]] 2016-03-02T08:44:44 [sql] [D] (0.1ms) SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ? ORDER BY filters.role_id, filters.id [["role_id", 37]] 2016-03-02T08:44:44 [app] [W] DEPRECATION WARNING: Your API call uses deprecated behavior, The resources /config_templates were moved to /provisioning_templates. Please use the new path instead. (called from deprecated at /home/dcleal/code/foreman/foreman/app/controllers/api/v2/config_templates_controller.rb:122) 2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates 2016-03-02T08:44:44 [sql] [D] Filter Load (0.2ms) SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filters"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'ProvisioningTemplate') AND (permissions.name = 'view_config_templates') ORDER BY filters.role_id, filters.id [["user_id", 58]] 2016-03-02T08:44:44 [permissions] [D] 2016-03-02T08:44:44 [permissions] [D] no filters found for given permission 2016-03-02T08:44:44 [sql] [D] (0.1ms) SELECT COUNT(*) FROM "templates" WHERE (1=0) AND "templates"."type" IN ('ProvisioningTemplate') 2016-03-02T08:44:44 [app] [I] ActiveRecord::RecordNotFound (ActiveRecord::RecordNotFound) 2016-03-02T08:44:44 [app] [I] Rendered api/v2/errors/not_found.json.rabl within api/v2/layouts/error_layout (0.7ms) 2016-03-02T08:44:44 [app] [I] Completed 404 Not Found in 45ms (Views: 3.4ms | ActiveRecord: 16.4ms)
The key part of the log is:
2016-03-02T08:44:44 [permissions] [D] checking permission view_config_templates
The controller_permission method in the config templates API controller which should force it to check provisioning_templates permissions isn't being taken into account.
It looks like the support for controller_permission from #9687 regressed in #8343.
Updated by Dominic Cleal almost 9 years ago
- Related to Bug #9687: Provisioning Template Roles: view_template, edit_template doesn't render on 1.7.3 for non-admin added
Updated by Dominic Cleal almost 9 years ago
- Related to Bug #8343: API resource_scope ignores options added
Updated by The Foreman Bot almost 9 years ago
- Status changed from Assigned to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3267 added
Updated by Dominic Cleal over 8 years ago
- % Done changed from 0 to 100
- Status changed from Ready For Testing to Closed
Applied in changeset f05b9307fe36d877364b0ee5bee7212c3315c97e.
Actions