Bug #2266
closedAPI doesn't honor 'view_facts' permission
Description
I have a Role with the 'view_facts' permission set.
However, users assigned to that role cannot access http://foreman/api/fact_values
Relevant (irc conversation):
21:57:20 <jpalmer> ohadlevy: question: is admin access or edit access required for the API? or is it more granular? (IE, can I write tools to just query the API in a read-only mode, with only view
permissions?)
21:57:47 <ohadlevy> jpalmer: we use the same permissions that you can grant via the web interface
21:58:08 <ohadlevy> jpalmer: so if you have an account that can only list hosts in domain xyz, then the same should be on the api
21:59:07 <ohadlevy> avtar: let me know if you need help?
21:59:09 <jpalmer> ohadlevy: ok. I have a role that has "view_facts" granted. but when I query /api/fact_values, I get "Access Denied" but if I grant that user Administrator, it works,
21:59:35 <ohadlevy> jpalmer: hmm...there is a possibility that we forgot something, let me have a look
22:00:09 <ohadlevy> jpalmer: yep, its missing from the permissions list
22:00:28 <ohadlevy> jpalmer: its pretty easy to fix if you want to give it a try, regardless, you should open a bug
22:00:55 <jpalmer> I'll open a bug now. then try my hand at (eally bad!) ruby, to see if I can append a patch
22:01:27 <ohadlevy> jpalmer: all of the mappings are here https://github.com/theforeman/foreman/blob/develop/lib/foreman/access_permissions.rb
22:01:44 <ohadlevy> jpalmer: so you would just need to find the view_facts one, and add the api statements (like its done for others)
22:01:58 <ohadlevy> jpalmer: e.g. copy from the architecture one
22:06:34 <jpalmer> ohadlevy: thanks sir. I'll take a stab at it. appreciate your time
I'll see if I can fix the issue, and submit a patch in the next 48 hours.
Updated by Jeff Palmer almost 12 years ago
- Status changed from New to Closed
- % Done changed from 0 to 100
Applied in changeset 7cddc10e41cf4f2d17049593160cb951e874ba15.