Project

General

Profile

Bug #28405

Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via API

Added by Dominik Matoulek 3 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
Users
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1757394

Description of problem:

Non-Admin Users cannot access their own table_preferences via REST API, no matter what possible combination of roles has been assigned to them.

The same user will be able to access the table_preferences, when you mark the user as "ADMIN".

Version-Release number of selected component (if applicable):

How reproducible:
100 %

Steps to Reproduce:
1. Create a user "NA-USER" on Satellite GUI but don't mark it as Admin.

2. Try to access the API https://sat-fqdn/api/users/:id/table_preferences where the ":id" is the ID of "NA-USER" and authentication is being done by the same user.

3. Assign all the Roles to the user "NA-USER" but don't mark it as "Admin" and then try accessing the API again.

Actual results:
In both step 2 and 3, the REST api will return.
~~~~~~~~~~ {
"error": {
"message": "Access denied",
"details": "Missing one of the required permissions: "
}
}
~~~~~~~~~~

Expected results:
It should display the table_preferences without throwing any error.

Additional info:
If I mark the same user as Admin, it will be able to execute the API successfully and will be able to see the result as well.

I went through the discussion "https://community.theforeman.org/t/user-preferences/12007/4", but unable to get any pointers from the same which might help me to understand what might be the problem here.

Associated revisions

Revision 6a5903a4 (diff)
Added by Dominik Matoulek about 1 month ago

Fixes #28405 - Missing permissions to Table Preferences

History

#1 Updated by The Foreman Bot 3 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/7226 added

#2 Updated by Tomer Brisker 2 months ago

  • Subject changed from [BUG] Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via Satellite 6 API to Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via API

#3 Updated by Tomer Brisker 2 months ago

  • Category set to Users

#4 Updated by The Foreman Bot about 1 month ago

  • Pull request https://github.com/theforeman/foreman/pull/7220 added

#5 Updated by The Foreman Bot about 1 month ago

  • Fixed in Releases 2.0.0 added

#6 Updated by Dominik Matoulek about 1 month ago

  • Status changed from Ready For Testing to Closed

#7 Updated by Tomer Brisker about 1 month ago

  • Assignee set to Dominik Matoulek
  • Fixed in Releases 1.24.2 added
  • Pull request deleted (https://github.com/theforeman/foreman/pull/7220)

Also available in: Atom PDF