Bug #16687
open
'access_settings' permission should be removed
Description
While creating new repository, the download policy gets loaded successfully but still display message ' You are not authorized to perform this action.' looks like ajax making foreman API call
"/api/v2/settings?search=name+%3D+default_download_policy"
Updated by Ranjan Kumar over 8 years ago
- Related to Bug #16505: Unable to create a repository as non-admin user added
Updated by Dominic Cleal over 8 years ago
- Project changed from Foreman to Katello
The API mentioned is a Foreman API, but this describes a Katello issue, so moving. If there's an issue with the API, please show it in more detail with logs/reproducer etc.
Updated by Justin Sherrill over 8 years ago
- Project changed from Katello to Foreman
- Subject changed from Non admin user with all permission on products get error message "You are not authorized to perform this action." to User with 'access_settings' permission cannot access /api/v2/settings
- Category set to Users, Roles and Permissions
To clarify, the issue is here:
https://github.com/theforeman/foreman/blob/develop/app/controllers/settings_controller.rb#L4
One would think 'access_settings' would give the user read access to the settings, but it does not seem to.
Updated by Dominic Cleal over 8 years ago
https://github.com/theforeman/foreman/blob/develop/app/controllers/api/v2/settings_controller.rb#L4 rather, for the API.
I don't think the access_settings permission should exist, settings should only really be viewed and edited by administrators as they are system-wide and some contain very sensitive data. It would need replacing with separate view/edit permissions if this was to be fixed. Non-admin users should not be expected to have access_settings, this would be very unusual.
Updated by Justin Sherrill over 8 years ago
- Subject changed from User with 'access_settings' permission cannot access /api/v2/settings to 'access_settings' permission should be removed
I can see arguments either way, but I'm okay keeping them restricted. I'll rename this to remove that permission to reduce confusion.