From b6959629b3fe926a7d430826b1f8d335aab4eb7a Mon Sep 17 00:00:00 2001
From: Jason Frey <fryguy9@gmail.com>
Date: Fri, 9 Jun 2023 21:55:07 -0400
Subject: [PATCH] Allow the user to list and see themselves even without
 rbac_user_show

Fixes ManageIQ/manageiq-ui-classic#8735
---
 app/controllers/api/users_controller.rb | 18 +++++++++++++++---
 config/api.yml                          | 16 ++++++++++++----
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
index 508cc32bc2..6cac67136e 100644
--- a/app/controllers/api/users_controller.rb
+++ b/app/controllers/api/users_controller.rb
@@ -7,11 +7,23 @@ class UsersController < BaseController
     include Subcollections::CustomButtonEvents
     include Subcollections::Tags
 
-    skip_before_action :validate_api_action, :only => :update
+    skip_before_action :validate_api_action, :only => [:index, :show, :update]
+
+    def index # rubocop:disable Lint/UselessMethodDefinition
+      # Rails style guide and Rubocop suggest this method to be lexically redefined since we are skipping validate_api_action
+      # See https://rails.rubystyle.guide/#lexically-scoped-action-filter
+      #     https://docs.rubocop.org/rubocop-rails/cops_rails.html#railslexicallyscopedactionfilter
+      super
+    end
+
+    def show
+      validate_api_action unless target_is_api_user?
+      super
+    end
 
     def update
       aname = @req.action
-      if aname == "edit" && !api_user_role_allows?(aname) && update_target_is_api_user?
+      if aname == "edit" && !api_user_role_allows?(aname) && target_is_api_user?
         if (Array(@req.resource.try(:keys)) - EDITABLE_ATTRS).present?
           raise BadRequestError,
                 "Cannot update attributes other than #{EDITABLE_ATTRS.join(', ')} for the authenticated user"
@@ -90,7 +102,7 @@ def target_user(id, type)
       end
     end
 
-    def update_target_is_api_user?
+    def target_is_api_user?
       User.current_user.id == @req.collection_id.to_i
     end
 
diff --git a/config/api.yml b/config/api.yml
index 46aa704935..d9f35c7921 100644
--- a/config/api.yml
+++ b/config/api.yml
@@ -4562,7 +4562,9 @@
         :identifier: tp_delete
   :users:
     :description: Users
-    :identifier: rbac_user
+    :identifier:
+    - rbac_user
+    - my_settings_view
     :options:
     - :collection
     - :custom_actions
@@ -4575,10 +4577,14 @@
     :collection_actions:
       :get:
       - :name: read
-        :identifier: rbac_user_show_list
+        :identifier:
+        - rbac_user_show_list
+        - my_settings_view
       :post:
       - :name: query
-        :identifier: rbac_user_show_list
+        :identifier:
+        - rbac_user_show_list
+        - my_settings_view
       - :name: create
         :identifier: rbac_user_add
       - :name: edit
@@ -4593,7 +4599,9 @@
     :resource_actions:
       :get:
       - :name: read
-        :identifier: rbac_user_show
+        :identifier:
+        - rbac_user_show
+        - my_settings_view
       :post:
       - :name: edit
         :identifier: rbac_user_edit