From f9ce129c658d6405c5d3b47dcd5cb63b27417cff Mon Sep 17 00:00:00 2001
From: Samir Jha <sjha4@ncsu.edu>
Date: Tue, 8 Aug 2023 17:05:50 -0400
Subject: [PATCH] Fixes #36520 - Enforce authorization on capsule syncs
 (#10651)

---
 app/lib/actions/katello/content_view/capsule_sync.rb       | 2 +-
 app/lib/actions/katello/repository/capsule_sync.rb         | 2 +-
 app/lib/actions/katello/repository/update_metadata_sync.rb | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/lib/actions/katello/content_view/capsule_sync.rb b/app/lib/actions/katello/content_view/capsule_sync.rb
index f989dc5f35e..e83d6c0b33e 100644
--- a/app/lib/actions/katello/content_view/capsule_sync.rb
+++ b/app/lib/actions/katello/content_view/capsule_sync.rb
@@ -9,7 +9,7 @@ def humanized_name
         def plan(content_view, environment)
           sequence do
             concurrence do
-              smart_proxies = SmartProxy.with_environment(environment)
+              smart_proxies = SmartProxy.unscoped.with_environment(environment).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) }
               unless smart_proxies.blank?
                 plan_action(::Actions::BulkAction, ::Actions::Katello::CapsuleContent::Sync, smart_proxies.sort,
                             :content_view_id => content_view.id, :environment_id => environment.id)
diff --git a/app/lib/actions/katello/repository/capsule_sync.rb b/app/lib/actions/katello/repository/capsule_sync.rb
index 3c3f07792db..31220911d7a 100644
--- a/app/lib/actions/katello/repository/capsule_sync.rb
+++ b/app/lib/actions/katello/repository/capsule_sync.rb
@@ -9,7 +9,7 @@ def humanized_name
         def plan(repo)
           if repo.node_syncable?
             concurrence do
-              smart_proxies = ::SmartProxy.with_environment(repo.environment)
+              smart_proxies = ::SmartProxy.unscoped.with_environment(repo.environment).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) }
               unless smart_proxies.blank?
                 plan_action(::Actions::BulkAction, ::Actions::Katello::CapsuleContent::Sync, smart_proxies,
                             :repository_id => repo.id)
diff --git a/app/lib/actions/katello/repository/update_metadata_sync.rb b/app/lib/actions/katello/repository/update_metadata_sync.rb
index 3e0beae3431..0d00e51a8c6 100644
--- a/app/lib/actions/katello/repository/update_metadata_sync.rb
+++ b/app/lib/actions/katello/repository/update_metadata_sync.rb
@@ -6,7 +6,7 @@ def plan(repository)
           sequence do
             plan_action(Katello::Repository::MetadataGenerate, repository)
             concurrence do
-              ::SmartProxy.with_repo(repository).each do |capsule|
+              (::SmartProxy.unscoped.with_repo(repository).select { |sp| sp.authorized?(:manage_capsule_content) && sp.authorized?(:view_capsule_content) })&.each do |capsule|
                 next if capsule.pulp_primary?
                 plan_action(Katello::CapsuleContent::Sync, capsule, repository_id: repository.id)
               end