From 0c15b631558536094a460cefbc79aea93f457385 Mon Sep 17 00:00:00 2001
From: Tim Wade <hello@timjwade.com>
Date: Fri, 10 Feb 2017 07:53:22 -0800
Subject: [PATCH 1/4] Add some failing tests for providers/cloud networks
 access

---
 spec/requests/api/cloud_networks_spec.rb | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/spec/requests/api/cloud_networks_spec.rb b/spec/requests/api/cloud_networks_spec.rb
index b35cef3734c..c8b0d1e8d3f 100644
--- a/spec/requests/api/cloud_networks_spec.rb
+++ b/spec/requests/api/cloud_networks_spec.rb
@@ -34,6 +34,14 @@
       expect_result_resources_to_include_data('resources', 'id' => cloud_network_ids)
     end
 
+    it "will not list cloud networks of a provider without the appropriate role" do
+      api_basic_authorize
+
+      run_get providers_cloud_networks_url
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'queries individual provider cloud_network' do
       api_basic_authorize collection_action_identifier(:providers, :read, :get)
       network = provider.cloud_networks.first
@@ -44,6 +52,16 @@
       expect_single_resource_query('name' => network.name, 'id' => network.id, 'ems_ref' => network.ems_ref)
     end
 
+    it "will not show the cloud network of a provider without the appropriate role" do
+      api_basic_authorize
+      network = provider.cloud_networks.first
+      cloud_network_url = "#{providers_cloud_networks_url}/#{network.id}"
+
+      run_get cloud_network_url
+
+      expect(response).to have_http_status(:forbidden)
+    end
+
     it 'successfully returns providers on query when providers do not have cloud_networks attribute' do
       FactoryGirl.create(:ems_openshift) # Openshift does not respond to #cloud_networks
       FactoryGirl.create(:ems_amazon_with_cloud_networks) # Provider with cloud networks

From 2175fa0d9707573d516704b1aa5e0df01077af61 Mon Sep 17 00:00:00 2001
From: Tim Wade <hello@timjwade.com>
Date: Fri, 10 Feb 2017 07:59:24 -0800
Subject: [PATCH 2/4] Fix cloud networks subcollection action config

---
 config/api.yml                           | 4 ++--
 spec/requests/api/cloud_networks_spec.rb | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/config/api.yml b/config/api.yml
index 4245f387bd0..8272b995b8e 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -1126,8 +1126,8 @@
         :identifier: ems_infra_protect
     :cloud_networks_subcollection_actions:
       :get:
-      - :name: show
-      - :identifier: miq_cloud_networks_view
+      - :name: read
+        :identifier: miq_cloud_networks_view
   :provision_dialogs:
     :description: Provisioning Dialogs
     :identifier: miq_ae_customization_explorer
diff --git a/spec/requests/api/cloud_networks_spec.rb b/spec/requests/api/cloud_networks_spec.rb
index c8b0d1e8d3f..77adde7a896 100644
--- a/spec/requests/api/cloud_networks_spec.rb
+++ b/spec/requests/api/cloud_networks_spec.rb
@@ -26,7 +26,7 @@
 
     it 'queries Providers cloud_networks' do
       cloud_network_ids = provider.cloud_networks.pluck(:id)
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :cloud_networks, :read, :get)
 
       run_get providers_cloud_networks_url, :expand => 'resources'
 
@@ -88,7 +88,7 @@
       openshift = FactoryGirl.create(:ems_openshift)
       openshift_cloud_networks_url = "#{providers_url(openshift.id)}/cloud_networks"
 
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize subcollection_action_identifier(:providers, :cloud_networks, :read, :get)
 
       run_get openshift_cloud_networks_url, :expand => 'resources'
 

From 3dfe387c172ca93c04e8de966005c910b87cb6ce Mon Sep 17 00:00:00 2001
From: Tim Wade <hello@timjwade.com>
Date: Fri, 10 Feb 2017 08:01:52 -0800
Subject: [PATCH 3/4] Enforce access rules for cloud network member reads

---
 config/api.yml                           | 4 ++++
 spec/requests/api/cloud_networks_spec.rb | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/api.yml b/config/api.yml
index 8272b995b8e..f36ab2224b0 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -1128,6 +1128,10 @@
       :get:
       - :name: read
         :identifier: miq_cloud_networks_view
+    :cloud_networks_subresource_actions:
+      :get:
+      - :name: read
+        :identifier: miq_cloud_networks_view
   :provision_dialogs:
     :description: Provisioning Dialogs
     :identifier: miq_ae_customization_explorer
diff --git a/spec/requests/api/cloud_networks_spec.rb b/spec/requests/api/cloud_networks_spec.rb
index 77adde7a896..a0fb3335c96 100644
--- a/spec/requests/api/cloud_networks_spec.rb
+++ b/spec/requests/api/cloud_networks_spec.rb
@@ -43,7 +43,7 @@
     end
 
     it 'queries individual provider cloud_network' do
-      api_basic_authorize collection_action_identifier(:providers, :read, :get)
+      api_basic_authorize(action_identifier(:providers, :read, :cloud_networks_subresource_actions, :get))
       network = provider.cloud_networks.first
       cloud_network_url = "#{providers_cloud_networks_url}/#{network.id}"
 

From d39a9e13c83c4b961ae3262e19a85d226ad0cafd Mon Sep 17 00:00:00 2001
From: Tim Wade <hello@timjwade.com>
Date: Fri, 10 Feb 2017 08:03:30 -0800
Subject: [PATCH 4/4] Cloud network action identifiers can be generic

---
 config/api.yml                           | 16 ++++++++--------
 spec/requests/api/cloud_networks_spec.rb |  2 +-
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/config/api.yml b/config/api.yml
index f36ab2224b0..00f0fb44143 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -409,6 +409,14 @@
       :post:
       - :name: query
         :identifier: miq_cloud_networks_view
+    :subcollection_actions:
+      :get:
+      - :name: read
+        :identifier: miq_cloud_networks_view
+    :subresource_actions:
+      :get:
+      - :name: read
+        :identifier: miq_cloud_networks_view
   :clusters:
     :description: Clusters
     :identifier: ems_cluster
@@ -1124,14 +1132,6 @@
         :identifier: ems_infra_protect
       - :name: unassign
         :identifier: ems_infra_protect
-    :cloud_networks_subcollection_actions:
-      :get:
-      - :name: read
-        :identifier: miq_cloud_networks_view
-    :cloud_networks_subresource_actions:
-      :get:
-      - :name: read
-        :identifier: miq_cloud_networks_view
   :provision_dialogs:
     :description: Provisioning Dialogs
     :identifier: miq_ae_customization_explorer
diff --git a/spec/requests/api/cloud_networks_spec.rb b/spec/requests/api/cloud_networks_spec.rb
index a0fb3335c96..14d621b0054 100644
--- a/spec/requests/api/cloud_networks_spec.rb
+++ b/spec/requests/api/cloud_networks_spec.rb
@@ -43,7 +43,7 @@
     end
 
     it 'queries individual provider cloud_network' do
-      api_basic_authorize(action_identifier(:providers, :read, :cloud_networks_subresource_actions, :get))
+      api_basic_authorize(action_identifier(:cloud_networks, :read, :subresource_actions, :get))
       network = provider.cloud_networks.first
       cloud_network_url = "#{providers_cloud_networks_url}/#{network.id}"