Further details from Daniel's report:

I dug into this, and here's the problem:

  - https://github.com/theforeman/foreman/blob/1.12.0/app/controllers/concerns/find_common.rb#L37
    is called from:
    https://github.com/theforeman/foreman/blob/1.12.0/app/controllers/api/base_controller.rb#L302
    because we have to get the 'parent scope' (the parent scope for the
    'Interfaces' resource, is 'Host')
  - scope_for is called so we get the list of hosts, scoped by permissions
  - on line 42 we make this check 'resource.respond_to?(:authorized)',
    which is called upon Host, therefore `Host.respond_to? :authorized`.

That returns false, because Host is a module, not a class. The class
that would return true to that would be Host::Base. We're aware
of this issue and we overcome it like this
https://github.com/theforeman/foreman/blob/1.12.0/app/models/host.rb#L21

I've changed the regex to be /(\Afind_by_(.*)\Z)|(\Aauthorized\Z)/ and
that fixes the problem. Notice this check would fail for any
/api/v2/hosts/:id/WHATEVER_RESOURCE , so audits, smart_class_parameters,
reports/last, smart_variables, facts can be affected too.

The change seems to have been introduced by #8343, as in 1.9-stable, the controller would always use an .authorized scope to find nested objects (i.e. the host of an interfaces call): https://github.com/theforeman/foreman/blob/1.9-stable/app/controllers/api/base_controller.rb#L215-L223. Since then, it checks that the parent resource responds to .authorized, as noted above.

My suggestion for a fix is to improve the extract_resource_from_param/resource_class_for methods to return Host::Managed rather than the Host module, which means the authorisation and or methods will always be against the correct object. Changing the behaviour of Host might lead to more subtle bugs.