Plugins » Katello

Description of problem:

API request to fetch the CV filter rules for a particular content-view can display filter rule information of another CV filter.

Affected api:

GET /katello/api/content_view_filters/:content_view_filter_id/rules/:id Show filter rule info

How reproducible: Always

Steps to Reproduce:
1. Create 2 CVs testcv1 and testcv2 to keep it simple.
2. Add some repo on them and create one filter a piece on the CVs with "erratum by ID"
3. Include some errata in the filters, publish a cv version

Additional info:

Lets assume that the testcv1 has a filter with content_view_filter_id=1, testcv2 has a filter with content_view_filter_id=1

Output of filter1:

=================
[root ~]# curl -s -u admin:redhat -k "-H Content-Type: application/json" "-d{\"per_page\":9999999}" -X GET https://centos7.localhost.example.com/katello/api/v2/content_view_filters/1/rules/ | python -m json.tool {
"error": null,
"page": 1,
"per_page": 20,
"results": [ {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:14 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:2804",
"id": 1,
"updated_at": "2018-08-28 13:43:14 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:14 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:2467",
"id": 2,
"updated_at": "2018-08-28 13:43:14 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2018:1673",
"id": 3,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2018:0372",
"id": 4,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2018:0272",
"id": 5,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:3491",
"id": 6,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:1554",
"id": 7,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:1192",
"id": 8,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:0446",
"id": 9,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:0198",
"id": 10,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:2939",
"id": 11,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:2700",
"id": 12,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:2109",
"id": 13,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:1992",
"id": 14,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:1886",
"id": 15,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:1616",
"id": 16,
"updated_at": "2018-08-28 13:43:28 UTC"
}, {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:28 UTC",
"date_type": "updated",
"errata_id": "RHBA-2016:1503",
"id": 17,
"updated_at": "2018-08-28 13:43:28 UTC"
}
],
"search": null,
"sort": {
"by": "id",
"order": "asc"
},
"subtotal": 17,
"total": 17
}

===================

Output of filter 2:

---

root ~]# curl -s -u admin:redhat -k "-H Content-Type: application/json" "-d{\"per_page\":9999999}" -X GET https://centos7.localhost.example.com/katello/api/v2/content_view_filters/2/rules/ | python -m json.tool {
"error": null,
"page": 1,
"per_page": 20,
"results": [ {
"content_view_filter_id": 2,
"created_at": "2018-08-28 13:45:11 UTC",
"date_type": "updated",
"errata_id": "RHBA-2018:1127",
"id": 18,
"updated_at": "2018-08-28 13:45:11 UTC"
}, {
"content_view_filter_id": 2,
"created_at": "2018-08-28 13:45:11 UTC",
"date_type": "updated",
"errata_id": "RHBA-2018:0338",
"id": 19,
"updated_at": "2018-08-28 13:45:11 UTC"
}
],
"search": null,
"sort": {
"by": "id",
"order": "asc"
},
"subtotal": 2,
"total": 2
}

---

If you see the above output then the filter 2 does not have any rules with id "1". So ideally filter 2 should not display any information for GET request for rules with that id. But that's not the case, because same GET request results into the information of rule with id 1 from the filter 1 which is not ideal.

Actual Result:

[root ~]# curl -s -u admin:redhat -k "-H Content-Type: application/json" "-d{\"per_page\":9999999}" -X GET https://centos7.localhost.example.com/katello/api/v2/content_view_filters/2/rules/1 | python -m json.tool {
"content_view_filter_id": 1,
"created_at": "2018-08-28 13:43:14 UTC",
"date_type": "updated",
"errata_id": "RHBA-2017:2804",
"id": 1,
"updated_at": "2018-08-28 13:43:14 UTC"
}

Expected result:

[root ~]# curl -s -u admin:redhat -k "-H Content-Type: application/json" "-d{\"per_page\":9999999}" -X GET https://centos7.localhost.example.com/katello/api/v2/content_view_filters/2/rules/1 | python -m json.tool {
"displayMessage": "Couldn't find Katello::ContentViewErratumFilterRule with 'id'=1",
"errors": [
"Couldn't find Katello::ContentViewErratumFilterRule with 'id'=1"
]
}