Fixes #11579 - Reports show/destroy restricted by host authorization (CVE-2015-5233)
ReportsController 'show' and 'destroy' now perform a check to see ifthe User is authorized to see the Host associated with the Report. Incase it's not, it returns 404, as to not give hints whether a Report...
fixes #10586 - make the 401 status comparison actually match.
(cherry picked from commit 3196ebaa009ca1d79e1330d36a0362b7ca04aade)
fixes #10482 - get external user group members only once during refresh
(cherry picked from commit 0fd7412faaa76787bf15ed1901ffc9eb4d6353fa)
fixes #10342 - adding :host_parameters_attributes to except list in template_used()
(cherry picked from commit d4e53f27fefffc4a1b2b0f25f2d35accf5d4de6e)
fixes #9773 - correctly render template URL
(cherry picked from commit f7174439285708c3010605230fec16797f3a0763)
Fixes #9391 - Added validation code to NIC, so it validates that host's location/org is compatible with the one set on NIC's subnet
(cherry picked from commit 8f695d94a2f32fea3363cc017fc59baf6ca15b17)
Fixes #10123 - Tests API v2 external user groups
The addition of a .refresh call after create, update and delete, causedour tests to fail because of many failed calls to LDAP.We can just expect the method to return true as we're not testing therefresh functionality in these methods....
Fixes #9884 - refresh deleted external usergroups
(cherry picked from commit e780381933a7838af4be9a550942ef0f22608fd4)
Fixes #8812 - Pass model type so search_for is called on Host
At least on version 1.6.1, the absence of this second parameter leads to aruntime crash when it's time to validate if the current user (non-admin) isallowed to perform a power operation on given a host via the APIv2....
Fixes #10002 - Add attribute ancestry to taxonomies API v2
(cherry picked from commit 1f47202ce4e70fd036437f1d81646b6b811bf02d)
Fixes #7378 - fixed API lookup keys filters
(cherry picked from commit bc68c48da5b718084c3e531e61e48124e8e00d36)
Fixes #9657 - merge NICs from compute profile in host create API
- updated api docs for hosts and interfaces- host create/update api actions now merge interfaces from compute profiles- NIC type mapping extracted into a separate class- return full host detail after host update...
Fixes #9678 - Can't update admin flag for users via API
find_resource needs to be defined prior to UsersMixin is included as itrequires the variable @user being set.
(cherry picked from commit 1b1b39861e485523b0cc0c6435fef30c38df7e07)
Fixes #9427 - Return meaningful errors from subnets/freeip and parse the error response to the UI
(cherry picked from commit b9521a8dc7f4e61a011cabbfdfe78657bd3c24d2)
Refs #3809 - Remove classcheck cop
Refs #3809 - Remove various small cops
Refs #3809 - Remove cop IndentationConsistency
Refs #3809 - Remove cops for empty lines
fixes #9358 - match unattended template requests against provision interface
fixes #9030 - Adds support to clone config template via api
Fixes #7456 - Extract primary interface from host
All host must have at least one primary interface and one provision (can...
fixes #8484 - make SmartProxyAuth concern more useful to plugins
Fixes #8796 - Fix to_gb size calculation and constentize
fixes #8049 - Add timezone to user
Fixes #8405 - Filter :interfaces_attributes when calculating templates_used
Refs #3809 - Remove useless assignments
fixes #5634 - save sso_method on session expiry
fixes #5773 - redirect to referrer URL that includes page and search
Refs #969 - Foreman-side changes for serving templates from the proxy
Fixes #8091: connect-src accepts WSS
fixes #7586, #7734, #7172 - user preferences for receiving mail notifications
Adds a framework for user-selectable mail notifications. The work isstill done in ActionMailer classes and launch by rake in cron, however awrapper called MailNotification is used to provide RBAC and make the...
fixes #4463 - use unattended URL for hostgroup provisioning
Fixes #746 - Generate all the Host template when click on Build to avoid errors during installation
Fixes #8005 - Convert allowed NIC types to strings
- allowed NIC type classes need to be registered now- api for interfaces use lowercase human readable values for defining types- fixed output of api's create action to the standard format
Fixes #6710 - unicode characters in url parameters
Original methods to_param defined on resources called name.parameterizeto get rid of url-unsafe characters. This function unfortunately alsostripped off unicode characters.
Changes:- parameterization extracted into a separate module Parameterizable...
Fixes #7733 - Remove hosts.yml fixtures and use FactoryGirl instead
fixes #7331 - delete unassigned os default templates
fixes #7985 - add support for ws:// in secure headers
fixes #7898 - ensure that format can respond to json / yaml
fixes #7372 - API v2 - accept PUT/POST requests with wrapped root node to add/remove has_many associations of child nodes
fixes #7907 - Allow images from gravatar on secure headers
fixes #7805 - Add several security related HTTP headers - security hardening.
Fixes #7884 - Display Fog errors on vm operation
Fixes #5139 - leftovers subscribe_to_all_hostgroups
Remove user_xxx unnecessary tables and notices
Update subhostgroups removed
Fixes for migration of foreign keys
Remove users from compute_resource fixture
Remove table notices after fk are removed for pg/mysql
Refs #3809 - Use parentheses in method definitions
Refs #3809 - Fix a few rubocop TODOs
Refs #3809 - Remove rubocop TODOs
Removed the following TODOs so that cops for these will run from now on:
Lint/AmbiguousOperator, DefEndAlignment, DeprecatedClassMethodsEnsureReturn, RequireParentheses, Void, BlockAlignment, EndAlignment,UselessAccessModifier,...
fixes #2321 - remove new puppet creation option
refs #7608 - i18n fixes, tests, use POST for action + only display link if authed
fixes #6856 - API v2 - more efficient import puppetclasses for single environment
Fixes #7572 - remove rundeck from core
Foreman rundeck is now a plugin available in https://github.com/theforeman/foreman_host_rundeck
fixes #4386 - gem friendly_id to simplify find by id, name, label, etc
Fixes #6999 - protect user logout against CSRF requests (CVE-2014-3590)
To avoid CSRF, logout is changed to be a POST request soprotect_from_forgery checks the CSRF token. However, in Rails 3 the onlystrategy available is to nullify the session of the attacker....
fixes #5896 - Set Compute Resource's 'Console passwords' option in API
fixes #3544 - Editing an oVirt compute resource allows changing the type, which is unsupported
Fixes 4642: Fix intermittent test failures on rundeck functional tests
Fixes #3085: Request to be able to clone host groups via API
fixes #7314 - Set settings explicitly instead of stubbing Settings
refs #6161 - Add test to make sure override is marked on create
Fixes #4596 - Change parent of host group via AJAX
Reparenting host groups requires submitting the form to see the changesnowadays, this fix makes the host group model inherit all propertiesfrom the parent and show them in real time.
fixes #7253 - change nil admin field on users to false, matches usergroups
When the admin field was nil, admin_changed? in user model validations canevaluate to true if the field changed from nil to false.
Fixes #3840 - Removes unused Signo related code
Fixes #6444 - add support for virtual NICs
Extend additional interface details refs #2240
NIC facts parsing change and we create interfaces in Foreman accordingto facts we recieve.
Subclasses does not define their own attributes and serialize them toattrs hash. All BMC attributes are extracted to separate columns so it's...
Fixes #6831 - expire topbar cache for admin on taxonomy updates
fixes #6205 Changed regex to parse CNs from SSL DNs on separator chars
Fixes #6756 - exposes vmware resource pools and folders through the API
Fixes #6608 - expose disk usage info through available_storage_domains API
fixes #6696 - API v2 - specify 'host' as the key in which parameters will be wrapped rather than Host::Base
fixes #6964 - replace default scope that hides users with explicit scope
Fixes #5734 - API for external groups management
fixes #6861 - provide a way to detect host group provisioning
Fixes #6446 - Forbidding non-json POST/PUT requests in v2
Fixes #813 - External usergroups can be linked to an LDAP auth source
Fixes #6786 - Handle error when no taxonomy params get sent
Basically, no organization params are getting sent as the bug reporter is notusing json and not using wrapped params. You can also test this by doing:
curl -X POST http://localhost:3000/api/v2/organizations...
Refs #4478 - API doc strings marked for translation
Fixes #6768 - Hammer set-parameter does not work
fixes #6430 - validate presence of location and organization for managed host if Settings are turned on
refs #4641 - update to functional test
fixes #6753 - fix API v1 examples in docs that show error messages by re-ordering functional tests
fixes #6749 - fix API v2 examples in docs that show error messages by re-ordering functional tests
Fixes #6065 - Update TopbarSweeper to clear cache for other users than User.current
fixes #6402 - use standard success/error handlers in UI controllers
Fixes #6650: Friendlier message when attempting to delete oneself.
fixes #1646, #3103 - enable cloning and locking of templates
fixes #5178 - unify API parameters and return values. User creation should not require payload wrapped with 'user' root
Fixes #6537: Entering a very large number for idle_timeout is unchecked, crashes UI
fixes #6441 - allows filtering of parameters per controller
There is an issue where certain parameters for particularcontrollers are causing the log to fill up. This allows the abilityto filter parameters by controller.
This allows each controller to add additional parameters to filter....
fixes #4155 - enable host/CR (dis)association via api
Fixes #6532 - permission related api extensions
- usergroups#show lists associated roles - listing available resource types - filters#show lists associated roles - filters#index lists associated roles and permissions and orders the results - pagination in permissions#index...
fixes #6506 - remove x86_64 default for new architecture
Fixes #6285 - Settings API does not parse incoming values to correct data type
fixes #3272 - allow 'admin' account to be removed and replaced
fixes #6248 - API V2 return object for POST/PUT/DELETE should not include root node
fixes #6216, #4416 - avoid foreign key errors when deleting some objects in use
fixes #6229 - validate installation media exists for new host if pxe_build
fixes #6003 - don't render user default loc/org object directly
fixes #5881 - XSS from create/update/destroy notification boxes (CVE-2014-3491)
fixes #5722: VM-based host cloning picks up existing compute attributes
fixes #5826 - Using dots in kickstart template names or hostgroups causes routing errors
fixes #4250 - API v2 - add compute profiles
