Fixes #36520 - Enforce authorization on capsule syncs (#10651)

app/lib/actions/katello/content_view/capsule_sync.rb

@@ -9,7 +9,7 @@ def humanized_name
         def plan(content_view, environment)
           sequence do
             concurrence do
-              smart_proxies = SmartProxy.with_environment(environment)
+              smart_proxies = SmartProxy.unscoped.with_environment(environment).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) }
               unless smart_proxies.blank?
                 plan_action(::Actions::BulkAction, ::Actions::Katello::CapsuleContent::Sync, smart_proxies.sort,
                             :content_view_id => content_view.id, :environment_id => environment.id)

app/lib/actions/katello/repository/capsule_sync.rb

@@ -9,7 +9,7 @@ def humanized_name
         def plan(repo)
           if repo.node_syncable?
             concurrence do
-              smart_proxies = ::SmartProxy.with_environment(repo.environment)
+              smart_proxies = ::SmartProxy.unscoped.with_environment(repo.environment).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) }
               unless smart_proxies.blank?
                 plan_action(::Actions::BulkAction, ::Actions::Katello::CapsuleContent::Sync, smart_proxies,
                             :repository_id => repo.id)

app/lib/actions/katello/repository/update_metadata_sync.rb

@@ -6,7 +6,7 @@ def plan(repository)
           sequence do
             plan_action(Katello::Repository::MetadataGenerate, repository)
             concurrence do
-              ::SmartProxy.with_repo(repository).each do |capsule|
+              (::SmartProxy.unscoped.with_repo(repository).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) })&.each do |capsule|
                 next if capsule.pulp_primary?
                 plan_action(Katello::CapsuleContent::Sync, capsule, repository_id: repository.id)
               end