Project

General

Profile

Bug #2266

API doesn't honor 'view_facts' permission

Added by Jeff Palmer about 6 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
API
Target version:
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

I have a Role with the 'view_facts' permission set.

However, users assigned to that role cannot access http://foreman/api/fact_values

Relevant (irc conversation):

21:57:20 <jpalmer> ohadlevy: question: is admin access or edit access required for the API? or is it more granular? (IE, can I write tools to just query the API in a read-only mode, with only view
permissions?)
21:57:47 <ohadlevy> jpalmer: we use the same permissions that you can grant via the web interface
21:58:08 <ohadlevy> jpalmer: so if you have an account that can only list hosts in domain xyz, then the same should be on the api
21:59:07 <ohadlevy> avtar: let me know if you need help?
21:59:09 <jpalmer> ohadlevy: ok. I have a role that has "view_facts" granted. but when I query /api/fact_values, I get "Access Denied" but if I grant that user Administrator, it works,
21:59:35 <ohadlevy> jpalmer: hmm...there is a possibility that we forgot something, let me have a look
22:00:09 <ohadlevy> jpalmer: yep, its missing from the permissions list
22:00:28 <ohadlevy> jpalmer: its pretty easy to fix if you want to give it a try, regardless, you should open a bug
22:00:55 <jpalmer> I'll open a bug now. then try my hand at (eally bad!) ruby, to see if I can append a patch
22:01:27 <ohadlevy> jpalmer: all of the mappings are here https://github.com/theforeman/foreman/blob/develop/lib/foreman/access_permissions.rb
22:01:44 <ohadlevy> jpalmer: so you would just need to find the view_facts one, and add the api statements (like its done for others)
22:01:58 <ohadlevy> jpalmer: e.g. copy from the architecture one
22:06:34 <jpalmer> ohadlevy: thanks sir. I'll take a stab at it. appreciate your time

I'll see if I can fix the issue, and submit a patch in the next 48 hours.


Related issues

Related to Foreman - Bug #2248: Authorization of API actions should match app permissionsClosed2013-02-25

Associated revisions

Revision 7cddc10e (diff)
Added by Jeff Palmer about 6 years ago

fixes #2266 - API doesn't honor 'view_facts' permission

History

#1 Updated by Ohad Levy about 6 years ago

  • Target version set to 1.2.0

#2 Updated by Jeff Palmer about 6 years ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF