Project

General

Profile

Bug #14301

User with limited permissions cannot access help pages

Added by Tomer Brisker about 4 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Authorization
Target version:
Difficulty:
Triaged:
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

sample log for attempted access:

2016-03-21T17:40:06 [app] [I] Started GET "/architectures/help" for 127.0.0.1 at 2016-03-21 17:40:06 +0200
2016-03-21T17:40:06 [app] [I] Processing by ArchitecturesController#welcome as HTML
2016-03-21T17:40:06 [sql] [D]   ActiveRecord::SessionStore::Session Load (0.7ms)  SELECT  "sessions".* FROM "sessions"  WHERE "sessions"."session_id" = '2cc12c0d1ba158f83f146928a8194a7e'  ORDER BY "sessions"."id" ASC LIMIT 1
2016-03-21T17:40:06 [sql] [D]   User Load (0.6ms)  SELECT  "users".* FROM "users"  WHERE "users"."id" = $1 LIMIT 1  [["id", 5]]
2016-03-21T17:40:06 [app] [D] Setting current user thread-local variable to aaa
2016-03-21T17:40:06 [sql] [D]   Usergroup Load (0.3ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = $1  ORDER BY usergroups.name  [["user_id", 5]]
2016-03-21T17:40:06 [sql] [D]   Taxonomy Load (0.8ms)  SELECT "taxonomies".* FROM "taxonomies" INNER JOIN "taxable_taxonomies" ON "taxonomies"."id" = "taxable_taxonomies"."taxonomy_id" WHERE "taxonomies"."type" IN ('Organization') AND "taxonomies"."type" = 'Organization' AND "taxable_taxonomies"."taxable_id" = $1 AND "taxable_taxonomies"."taxable_type" = $2  ORDER BY "taxonomies"."title" ASC  [["taxable_id", 5], ["taxable_type", "User"]]
2016-03-21T17:40:06 [sql] [D]   Organization Load (0.5ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ((("taxonomies"."id" = 2 OR "taxonomies"."ancestry" ILIKE '2/%') OR "taxonomies"."ancestry" = '2'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:06 [sql] [D]    (0.4ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ( (taxonomies.id in (2)))
2016-03-21T17:40:06 [sql] [D]   Organization Load (0.4ms)  SELECT  "taxonomies".* FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ( (taxonomies.id in (2)))  ORDER BY "taxonomies"."title" ASC LIMIT 1
2016-03-21T17:40:06 [app] [D] Setting current organization thread-local variable to rht
2016-03-21T17:40:06 [sql] [D]   Taxonomy Load (0.3ms)  SELECT "taxonomies".* FROM "taxonomies" INNER JOIN "taxable_taxonomies" ON "taxonomies"."id" = "taxable_taxonomies"."taxonomy_id" WHERE "taxonomies"."type" IN ('Location') AND "taxonomies"."type" = 'Location' AND "taxable_taxonomies"."taxable_id" = $1 AND "taxable_taxonomies"."taxable_type" = $2  ORDER BY "taxonomies"."title" ASC  [["taxable_id", 5], ["taxable_type", "User"]]
2016-03-21T17:40:06 [sql] [D]   Location Load (1.8ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ((("taxonomies"."id" = 1 OR "taxonomies"."ancestry" ILIKE '1/%') OR "taxonomies"."ancestry" = '1'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:06 [sql] [D]    (1.6ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ( (taxonomies.id in (1,3)))
2016-03-21T17:40:06 [app] [D] Setting current location thread-local variable to none
2016-03-21T17:40:06 [sql] [D]   AuthSource Load (0.2ms)  SELECT  "auth_sources".* FROM "auth_sources"  WHERE "auth_sources"."id" = $1 LIMIT 1  [["id", 1]]
2016-03-21T17:40:06 [sql] [D]   Role Load (0.2ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = $1  [["user_id", 5]]
2016-03-21T17:40:06 [sql] [D]    (0.4ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = $1  ORDER BY filters.role_id, filters.id  [["role_id", 14]]
2016-03-21T17:40:06 [sql] [D]    (0.5ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = $1  ORDER BY filters.role_id, filters.id  [["role_id", 8]]
2016-03-21T17:40:06 [app] [I]   Rendered common/403.html.erb within layouts/application (2.4ms)
2016-03-21T17:40:06 [app] [I]   Rendered layouts/_application_content.html.erb (1.1ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_user_dropdown.html.erb (3.9ms)
2016-03-21T17:40:09 [sql] [D]   CACHE (0.1ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ((("taxonomies"."id" = 2 OR "taxonomies"."ancestry" ILIKE '2/%') OR "taxonomies"."ancestry" = '2'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [sql] [D]   CACHE (0.0ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ( (taxonomies.id in (2)))
2016-03-21T17:40:09 [sql] [D]   CACHE (0.0ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ((("taxonomies"."id" = 2 OR "taxonomies"."ancestry" ILIKE '2/%') OR "taxonomies"."ancestry" = '2'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [sql] [D]   Organization Load (0.7ms)  SELECT "taxonomies".* FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Organization') AND ( (taxonomies.id in (2)))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [app] [I]   Rendered home/_organization_dropdown.html.erb (12.4ms)
2016-03-21T17:40:09 [sql] [D]   CACHE (0.0ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ((("taxonomies"."id" = 1 OR "taxonomies"."ancestry" ILIKE '1/%') OR "taxonomies"."ancestry" = '1'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [sql] [D]   CACHE (0.0ms)  SELECT COUNT(*) FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ( (taxonomies.id in (1,3)))
2016-03-21T17:40:09 [sql] [D]   CACHE (0.0ms)  SELECT "taxonomies"."id" FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ((("taxonomies"."id" = 1 OR "taxonomies"."ancestry" ILIKE '1/%') OR "taxonomies"."ancestry" = '1'))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [sql] [D]   Location Load (1.3ms)  SELECT "taxonomies".* FROM "taxonomies"  WHERE "taxonomies"."type" IN ('Location') AND ( (taxonomies.id in (1,3)))  ORDER BY "taxonomies"."title" ASC
2016-03-21T17:40:09 [app] [I]   Rendered home/_location_dropdown.html.erb (14.0ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_org_switcher.html.erb (27.8ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_submenu.html.erb (3.0ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_submenu.html.erb (8.4ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_submenu.html.erb (3.2ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_submenu.html.erb (1.7ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_submenu.html.erb (3.0ms)
2016-03-21T17:40:09 [app] [I]   Rendered home/_topbar.html.erb (130.2ms)
2016-03-21T17:40:09 [app] [I]   Rendered layouts/base.html.erb (3213.0ms)
2016-03-21T17:40:09 [app] [I] Filter chain halted as :authorize rendered or redirected
2016-03-21T17:40:09 [app] [I] Completed 403 Forbidden in 3281ms (Views: 3222.8ms | ActiveRecord: 10.9ms)

Associated revisions

Revision 1873eb7e (diff)
Added by Dominik Hlavac Duran over 3 years ago

Fixes #14301 - Grant access to help pages for view permissions

Revision 1c70add1 (diff)
Added by Dominik Hlavac Duran over 3 years ago

Fixes #14301 - Grant access to help pages for view permissions

(cherry picked from commit 1873eb7ebb59ee9eb5ded732118db0b009636aa1)

History

#1 Updated by Marek Hulán over 3 years ago

  • Target version set to 115

#2 Updated by Dominik Hlavac Duran over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominik Hlavac Duran

#3 Updated by The Foreman Bot over 3 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3690 added

#4 Updated by Dominik Hlavac Duran over 3 years ago

  • Target version changed from 115 to 1.6.3

#5 Updated by Dominik Hlavac Duran over 3 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Dominic Cleal over 3 years ago

  • Legacy Backlogs Release (now unused) set to 175

Also available in: Atom PDF