Actions
Bug #29420
openPOST /api/hosts/:id should not accept capabilities
Status:
New
Priority:
Normal
Assignee:
-
Category:
API
Target version:
-
Description
creating/updating a host currently accepts a string "capabilities" (see https://github.com/theforeman/foreman/blob/40fab71c99f8bf3195e59af08524233c6e2cf7af/app/controllers/api/v2/hosts_controller.rb#L109), but to my understanding capabilities is really a list of available provisioning methods, so while it's useful to have it in the show output of the entity, there is no point in allowing the API to allow it.
trying to set it to some random string fails anyways.
2020-03-26T13:26:48 [I|app|d07891aa] Started PUT "/api/hosts/2" for 192.168.122.1 at 2020-03-26 13:26:48 +0000 2020-03-26T13:26:48 [I|app|d07891aa] Processing by Api::V2::HostsController#update as JSON 2020-03-26T13:26:48 [I|app|d07891aa] Parameters: {"host"=>{"capabilities"=>"lolwhat"}, "apiv"=>"v2", "id"=>"2"} 2020-03-26T13:26:48 [W|app|d07891aa] Action failed 2020-03-26T13:26:48 [I|app|d07891aa] Rendering api/v2/errors/custom_error.json.rabl within api/v2/layouts/error_layout 2020-03-26T13:26:48 [I|app|d07891aa] Rendered api/v2/errors/custom_error.json.rabl within api/v2/layouts/error_layout (1.1ms) 2020-03-26T13:26:48 [I|app|d07891aa] Completed 500 Internal Server Error in 38ms (Views: 4.6ms | ActiveRecord: 4.1ms)
it's also not exposed in the WebUI or hammer at all
No data to display
Actions