From 80eff5ac13caf05494d209502825ca4f294abf24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 1 Nov 2016 11:06:44 +0100
Subject: [PATCH 01/12] Introduce query to tell whether a user can see an
 MiqReport

This query was missing as a scope, however we have rules to compose
RerportsTree on the ui, that uses this exact same set of rules.

Relates to cve-2016-7047.
---
 app/models/miq_report.rb | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/app/models/miq_report.rb b/app/models/miq_report.rb
index 45518dc69d9..c59ed9be114 100644
--- a/app/models/miq_report.rb
+++ b/app/models/miq_report.rb
@@ -53,6 +53,19 @@ class MiqReport < ApplicationRecord
   GROUPINGS = [[:min, "Minimum"], [:avg, "Average"], [:max, "Maximum"], [:total, "Total"]]
   PIVOTS    = [[:min, "Minimum"], [:avg, "Average"], [:max, "Maximum"], [:total, "Total"]]
 
+  scope :for_user, lambda { |user|
+    if user.admin_user?
+      all
+    else
+      where(
+        arel_table[:rpt_type].eq('Custom').and(arel_table[:miq_group_id].eq(user.current_group_id))
+        .or(
+          arel_table[:rpt_type].eq('Default')
+        )
+      )
+    end
+  }
+
   def self.filter_with_report_results_by(miq_group_ids)
     miq_group_condition = {:miq_report_results => {:miq_group_id => miq_group_ids}}
 

From 7b12e5b5f3a3f1a4a2443d9d01af26840a17aa0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 1 Nov 2016 11:15:16 +0100
Subject: [PATCH 02/12] Do not leak MiqReports on /api/reports

Show list only of those reports he or she is authorized to.

Relates to CVE-2016-7047
---
 app/controllers/api/reports_controller.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app/controllers/api/reports_controller.rb b/app/controllers/api/reports_controller.rb
index 2069eaacb24..2a13a5f7d9c 100644
--- a/app/controllers/api/reports_controller.rb
+++ b/app/controllers/api/reports_controller.rb
@@ -7,6 +7,10 @@ class ReportsController < BaseController
 
     before_action :set_additional_attributes, :only => [:index, :show]
 
+    def reports_search_conditions
+      MiqReport.for_user(@auth_user_obj).where_clause.ast unless @auth_user_obj.admin?
+    end
+
     def run_resource(_type, id, _data)
       report = MiqReport.find(id)
       report_result = MiqReportResult.find(report.queue_generate_table)

From f168b3b2df5b48e34aad7b6518fd39ee3f271c56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 1 Nov 2016 11:25:19 +0100
Subject: [PATCH 03/12] Do not leak MiqReport on /api/reports/:id

Relates to: CVE-2016-7047
---
 app/controllers/api/reports_controller.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/reports_controller.rb b/app/controllers/api/reports_controller.rb
index 2a13a5f7d9c..0436928649b 100644
--- a/app/controllers/api/reports_controller.rb
+++ b/app/controllers/api/reports_controller.rb
@@ -11,8 +11,12 @@ def reports_search_conditions
       MiqReport.for_user(@auth_user_obj).where_clause.ast unless @auth_user_obj.admin?
     end
 
-    def run_resource(_type, id, _data)
-      report = MiqReport.find(id)
+    def find_reports(id)
+      MiqReport.for_user(@auth_user_obj).find(id)
+    end
+
+    def run_resource(type, id, _data)
+      report = resource_search(id, type, MiqReport)
       report_result = MiqReportResult.find(report.queue_generate_table)
       run_report_result(true,
                         "running report #{report.id}",

From 5cf8d1ffd0e9489f9a58ecb1223c3a816817dd76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 1 Nov 2016 15:20:36 +0100
Subject: [PATCH 04/12] Refactor: Extract scope

---
 app/models/miq_report.rb        | 15 +--------------
 app/models/miq_report_result.rb |  9 +++++++++
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/app/models/miq_report.rb b/app/models/miq_report.rb
index c59ed9be114..5301c5bf62a 100644
--- a/app/models/miq_report.rb
+++ b/app/models/miq_report.rb
@@ -66,18 +66,6 @@ class MiqReport < ApplicationRecord
     end
   }
 
-  def self.filter_with_report_results_by(miq_group_ids)
-    miq_group_condition = {:miq_report_results => {:miq_group_id => miq_group_ids}}
-
-    if miq_group_ids.nil?
-      miq_group_relation = where.not(miq_group_condition)
-    else
-      miq_group_relation = where(miq_group_condition)
-    end
-
-    miq_group_relation.joins(:miq_report_results).distinct
-  end
-
   # Scope on reports that have report results.
   #
   # Valid options are:
@@ -88,8 +76,7 @@ def self.having_report_results(options = {})
     miq_group_ids = options[:miq_groups].collect(&:id) unless options[:miq_groups].nil?
 
     miq_group_ids ||= options[:miq_group_ids]
-
-    q = filter_with_report_results_by(miq_group_ids)
+    q = joins(:miq_report_results).merge(MiqReportResult.for_groups(miq_group_ids)).distinct
 
     if options[:select]
       cols = options[:select].to_miq_a
diff --git a/app/models/miq_report_result.rb b/app/models/miq_report_result.rb
index 8d430c86a12..558231758b9 100644
--- a/app/models/miq_report_result.rb
+++ b/app/models/miq_report_result.rb
@@ -15,6 +15,15 @@ class MiqReportResult < ApplicationRecord
   virtual_column :status_message,        :type => :string, :uses => :miq_task
   virtual_has_one :result_set,           :class_name => "Hash"
 
+  scope :for_groups, lambda { |group_ids|
+    condition = {:miq_group_id => group_ids}
+    if group_ids.nil?
+      where.not(condition)
+    else
+      where(condition)
+    end
+  }
+
   before_save do
     user_info = userid.to_s.split("|")
     if user_info.length == 1

From e2430b1ee918d22a2b4849bba93578dfd58a801c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 2 Nov 2016 11:41:35 +0100
Subject: [PATCH 05/12] Do no leak MiqReportResults on /api/results

And fix tests.

Relates to CVE-2016-7047
---
 app/controllers/api/results_controller.rb |  4 +++
 app/models/miq_report_result.rb           |  3 +++
 spec/factories/miq_report.rb              |  2 +-
 spec/requests/api/reports_spec.rb         | 32 ++++++++++++++---------
 4 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/app/controllers/api/results_controller.rb b/app/controllers/api/results_controller.rb
index 027be01bb4b..def6942538f 100644
--- a/app/controllers/api/results_controller.rb
+++ b/app/controllers/api/results_controller.rb
@@ -2,6 +2,10 @@ module Api
   class ResultsController < BaseController
     before_action :set_additional_attributes, :only => [:index, :show]
 
+    def results_search_conditions
+      MiqReportResult.for_user(@auth_user_obj).where_clause.ast
+    end
+
     private
 
     def set_additional_attributes
diff --git a/app/models/miq_report_result.rb b/app/models/miq_report_result.rb
index 558231758b9..9cef4687620 100644
--- a/app/models/miq_report_result.rb
+++ b/app/models/miq_report_result.rb
@@ -23,6 +23,9 @@ class MiqReportResult < ApplicationRecord
       where(condition)
     end
   }
+  scope :for_user, lambda { |user|
+    for_groups(user.admin_user? ? nil : user.miq_group_ids)
+  }
 
   before_save do
     user_info = userid.to_s.split("|")
diff --git a/spec/factories/miq_report.rb b/spec/factories/miq_report.rb
index d67ab4cd79d..d5322d38843 100644
--- a/spec/factories/miq_report.rb
+++ b/spec/factories/miq_report.rb
@@ -21,7 +21,7 @@
   end
 
   factory :miq_report_with_results, :parent => :miq_report do
-    miq_report_results { [FactoryGirl.create(:miq_report_result)] }
+    miq_report_results { [FactoryGirl.create(:miq_report_result, :miq_group => miq_group)] }
   end
 
   factory :miq_report_chargeback, :parent => :miq_report do
diff --git a/spec/requests/api/reports_spec.rb b/spec/requests/api/reports_spec.rb
index b92384527a4..98095118031 100644
--- a/spec/requests/api/reports_spec.rb
+++ b/spec/requests/api/reports_spec.rb
@@ -67,20 +67,28 @@
     expect(response).to have_http_status(:ok)
   end
 
-  it "can fetch all the results" do
-    report = FactoryGirl.create(:miq_report_with_results)
-    result = report.miq_report_results.first
+  context 'authorized to see its own report results' do
+    let(:group) { FactoryGirl.create(:miq_group) }
+    let(:user) do
+      @user.current_group ||= group
+      @user
+    end
+    let(:report) { FactoryGirl.create(:miq_report_with_results, :miq_group => user.current_group) }
 
-    api_basic_authorize collection_action_identifier(:results, :read, :get)
-    run_get results_url
+    it "can fetch all the results" do
+      result = report.miq_report_results.first
 
-    expect_result_resources_to_include_hrefs(
-      "resources",
-      [
-        results_url(result.id).to_s
-      ]
-    )
-    expect(response).to have_http_status(:ok)
+      api_basic_authorize collection_action_identifier(:results, :read, :get)
+      run_get results_url
+
+      expect_result_resources_to_include_hrefs(
+        "resources",
+        [
+          results_url(result.id).to_s
+        ]
+      )
+      expect(response).to have_http_status(:ok)
+    end
   end
 
   it "can fetch a specific result as a primary collection" do

From f79e2c0ba76a6e35a0fed410c08243f34f1f1106 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 2 Nov 2016 13:14:31 +0100
Subject: [PATCH 06/12] Do not leak MiqReportResult on /api/results/:id

And fix tests.

Relates to CVE-2016-7047
---
 app/controllers/api/results_controller.rb |  4 ++++
 spec/requests/api/reports_spec.rb         | 27 +++++++++++------------
 2 files changed, 17 insertions(+), 14 deletions(-)

diff --git a/app/controllers/api/results_controller.rb b/app/controllers/api/results_controller.rb
index def6942538f..4262addb3ae 100644
--- a/app/controllers/api/results_controller.rb
+++ b/app/controllers/api/results_controller.rb
@@ -6,6 +6,10 @@ def results_search_conditions
       MiqReportResult.for_user(@auth_user_obj).where_clause.ast
     end
 
+    def find_results(id)
+      MiqReportResult.for_user(@auth_user_obj).find(id)
+    end
+
     private
 
     def set_additional_attributes
diff --git a/spec/requests/api/reports_spec.rb b/spec/requests/api/reports_spec.rb
index 98095118031..ee779060ffc 100644
--- a/spec/requests/api/reports_spec.rb
+++ b/spec/requests/api/reports_spec.rb
@@ -89,23 +89,22 @@
       )
       expect(response).to have_http_status(:ok)
     end
-  end
 
-  it "can fetch a specific result as a primary collection" do
-    report = FactoryGirl.create(:miq_report_with_results)
-    report_result = report.miq_report_results.first
-    table = Ruport::Data::Table.new(
-      :column_names => %w(foo),
-      :data         => [%w(bar), %w(baz)]
-    )
-    allow(report).to receive(:table).and_return(table)
-    allow_any_instance_of(MiqReportResult).to receive(:report_results).and_return(report)
+    it "can fetch a specific result as a primary collection" do
+      report_result = report.miq_report_results.first
+      table = Ruport::Data::Table.new(
+        :column_names => %w(foo),
+        :data         => [%w(bar), %w(baz)]
+      )
+      allow(report).to receive(:table).and_return(table)
+      allow_any_instance_of(MiqReportResult).to receive(:report_results).and_return(report)
 
-    api_basic_authorize action_identifier(:results, :read, :resource_actions, :get)
-    run_get results_url(report_result.id)
+      api_basic_authorize action_identifier(:results, :read, :resource_actions, :get)
+      run_get results_url(report_result.id)
 
-    expect_result_to_match_hash(response.parsed_body, "result_set" => [{"foo" => "bar"}, {"foo" => "baz"}])
-    expect(response).to have_http_status(:ok)
+      expect_result_to_match_hash(response.parsed_body, "result_set" => [{"foo" => "bar"}, {"foo" => "baz"}])
+      expect(response).to have_http_status(:ok)
+    end
   end
 
   it "can fetch all the schedule" do

From 57d03a8573fca93337698a2d18ad47f09da234a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 2 Nov 2016 13:19:25 +0100
Subject: [PATCH 07/12] Do not leak MiqReportResults on
 /api/reports/:id/results

And fix tests.

Relates to CVE-2016-7047
---
 app/controllers/api/subcollections/results.rb |  2 +-
 spec/requests/api/reports_spec.rb             | 33 +++++++++----------
 2 files changed, 17 insertions(+), 18 deletions(-)

diff --git a/app/controllers/api/subcollections/results.rb b/app/controllers/api/subcollections/results.rb
index 948c47a3fac..3c188579e39 100644
--- a/app/controllers/api/subcollections/results.rb
+++ b/app/controllers/api/subcollections/results.rb
@@ -2,7 +2,7 @@ module Api
   module Subcollections
     module Results
       def results_query_resource(object)
-        object.miq_report_results
+        object.miq_report_results.for_user(@auth_user_obj)
       end
     end
   end
diff --git a/spec/requests/api/reports_spec.rb b/spec/requests/api/reports_spec.rb
index ee779060ffc..0440419a51b 100644
--- a/spec/requests/api/reports_spec.rb
+++ b/spec/requests/api/reports_spec.rb
@@ -33,23 +33,6 @@
     expect(response).to have_http_status(:ok)
   end
 
-  it "can fetch a report's results" do
-    report = FactoryGirl.create(:miq_report_with_results)
-    report_result = report.miq_report_results.first
-
-    api_basic_authorize
-    run_get "#{reports_url(report.id)}/results"
-
-    expect_result_resources_to_include_hrefs(
-      "resources",
-      [
-        "#{reports_url(report.id)}/results/#{report_result.to_param}"
-      ]
-    )
-    expect(response.parsed_body["resources"]).not_to be_any { |resource| resource.key?("result_set") }
-    expect(response).to have_http_status(:ok)
-  end
-
   it "can fetch a report's result" do
     report = FactoryGirl.create(:miq_report_with_results)
     report_result = report.miq_report_results.first
@@ -75,6 +58,22 @@
     end
     let(:report) { FactoryGirl.create(:miq_report_with_results, :miq_group => user.current_group) }
 
+    it "can fetch a report's results" do
+      report_result = report.miq_report_results.first
+
+      api_basic_authorize
+      run_get "#{reports_url(report.id)}/results"
+
+      expect_result_resources_to_include_hrefs(
+        "resources",
+        [
+          "#{reports_url(report.id)}/results/#{report_result.to_param}"
+        ]
+      )
+      expect(response.parsed_body["resources"]).not_to be_any { |resource| resource.key?("result_set") }
+      expect(response).to have_http_status(:ok)
+    end
+
     it "can fetch all the results" do
       result = report.miq_report_results.first
 

From b524a2373bc83caa4402b4280a075ecf856b560f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Wed, 2 Nov 2016 13:27:01 +0100
Subject: [PATCH 08/12] Do not leak MiqReportResults on
 /api/reports/:id/results/:cid

And fix tests.

Relates to CVE-2016-7047
---
 app/controllers/api/subcollections/results.rb |  4 ++
 spec/requests/api/reports_spec.rb             | 43 +++++++++++--------
 2 files changed, 30 insertions(+), 17 deletions(-)

diff --git a/app/controllers/api/subcollections/results.rb b/app/controllers/api/subcollections/results.rb
index 3c188579e39..8b20804a0b5 100644
--- a/app/controllers/api/subcollections/results.rb
+++ b/app/controllers/api/subcollections/results.rb
@@ -1,6 +1,10 @@
 module Api
   module Subcollections
     module Results
+      def find_results(id)
+        MiqReportResult.for_user(@auth_user_obj).find(id)
+      end
+
       def results_query_resource(object)
         object.miq_report_results.for_user(@auth_user_obj)
       end
diff --git a/spec/requests/api/reports_spec.rb b/spec/requests/api/reports_spec.rb
index 0440419a51b..7c68bbd6cf5 100644
--- a/spec/requests/api/reports_spec.rb
+++ b/spec/requests/api/reports_spec.rb
@@ -33,23 +33,6 @@
     expect(response).to have_http_status(:ok)
   end
 
-  it "can fetch a report's result" do
-    report = FactoryGirl.create(:miq_report_with_results)
-    report_result = report.miq_report_results.first
-    table = Ruport::Data::Table.new(
-      :column_names => %w(foo),
-      :data         => [%w(bar), %w(baz)]
-    )
-    allow(report).to receive(:table).and_return(table)
-    allow_any_instance_of(MiqReportResult).to receive(:report_results).and_return(report)
-
-    api_basic_authorize
-    run_get "#{reports_url(report.id)}/results/#{report_result.to_param}"
-
-    expect_result_to_match_hash(response.parsed_body, "result_set" => [{"foo" => "bar"}, {"foo" => "baz"}])
-    expect(response).to have_http_status(:ok)
-  end
-
   context 'authorized to see its own report results' do
     let(:group) { FactoryGirl.create(:miq_group) }
     let(:user) do
@@ -74,6 +57,22 @@
       expect(response).to have_http_status(:ok)
     end
 
+    it "can fetch a report's result" do
+      report_result = report.miq_report_results.first
+      table = Ruport::Data::Table.new(
+        :column_names => %w(foo),
+        :data         => [%w(bar), %w(baz)]
+      )
+      allow(report).to receive(:table).and_return(table)
+      allow_any_instance_of(MiqReportResult).to receive(:report_results).and_return(report)
+
+      api_basic_authorize
+      run_get "#{reports_url(report.id)}/results/#{report_result.to_param}"
+
+      expect_result_to_match_hash(response.parsed_body, "result_set" => [{"foo" => "bar"}, {"foo" => "baz"}])
+      expect(response).to have_http_status(:ok)
+    end
+
     it "can fetch all the results" do
       result = report.miq_report_results.first
 
@@ -104,6 +103,16 @@
       expect_result_to_match_hash(response.parsed_body, "result_set" => [{"foo" => "bar"}, {"foo" => "baz"}])
       expect(response).to have_http_status(:ok)
     end
+
+    it "returns an empty result set if none has been run" do
+      report_result = report.miq_report_results.first
+
+      api_basic_authorize
+      run_get "#{reports_url(report.id)}/results/#{report_result.id}"
+
+      expect_result_to_match_hash(response.parsed_body, "result_set" => [])
+      expect(response).to have_http_status(:ok)
+    end
   end
 
   it "can fetch all the schedule" do

From efce37ff1f15467bfb5aa8d0a5e54b70ceae67b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Thu, 3 Nov 2016 13:08:10 +0100
Subject: [PATCH 09/12] Fix collection spec to build result accessible to user

---
 spec/requests/api/collections_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/requests/api/collections_spec.rb b/spec/requests/api/collections_spec.rb
index 10b329076ce..28807c6d406 100644
--- a/spec/requests/api/collections_spec.rb
+++ b/spec/requests/api/collections_spec.rb
@@ -185,7 +185,7 @@ def test_collection_bulk_query(collection, collection_url, klass, id = nil)
     end
 
     it "query Report Results" do
-      FactoryGirl.create(:miq_report_result)
+      FactoryGirl.create(:miq_report_result, :miq_group => @user.current_group)
       test_collection_query(:results, results_url, MiqReportResult)
     end
 

From 8271adbece488b19b5b5cf7edba182b85fa252b4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 9 May 2017 12:26:20 +0200
Subject: [PATCH 10/12] s/@auth_user_obj/User.current_user/

See also 81e4b0e4659e27f189bf7c0c15205d0b1cad3f1b
---
 app/controllers/api/reports_controller.rb     | 4 ++--
 app/controllers/api/results_controller.rb     | 4 ++--
 app/controllers/api/subcollections/results.rb | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/controllers/api/reports_controller.rb b/app/controllers/api/reports_controller.rb
index 0436928649b..1476d376345 100644
--- a/app/controllers/api/reports_controller.rb
+++ b/app/controllers/api/reports_controller.rb
@@ -8,11 +8,11 @@ class ReportsController < BaseController
     before_action :set_additional_attributes, :only => [:index, :show]
 
     def reports_search_conditions
-      MiqReport.for_user(@auth_user_obj).where_clause.ast unless @auth_user_obj.admin?
+      MiqReport.for_user(User.current_user).where_clause.ast unless User.current_user.admin?
     end
 
     def find_reports(id)
-      MiqReport.for_user(@auth_user_obj).find(id)
+      MiqReport.for_user(User.current_user).find(id)
     end
 
     def run_resource(type, id, _data)
diff --git a/app/controllers/api/results_controller.rb b/app/controllers/api/results_controller.rb
index 4262addb3ae..bcaaa5aedf5 100644
--- a/app/controllers/api/results_controller.rb
+++ b/app/controllers/api/results_controller.rb
@@ -3,11 +3,11 @@ class ResultsController < BaseController
     before_action :set_additional_attributes, :only => [:index, :show]
 
     def results_search_conditions
-      MiqReportResult.for_user(@auth_user_obj).where_clause.ast
+      MiqReportResult.for_user(User.current_user).where_clause.ast
     end
 
     def find_results(id)
-      MiqReportResult.for_user(@auth_user_obj).find(id)
+      MiqReportResult.for_user(User.current_user).find(id)
     end
 
     private
diff --git a/app/controllers/api/subcollections/results.rb b/app/controllers/api/subcollections/results.rb
index 8b20804a0b5..0ec2aeff71b 100644
--- a/app/controllers/api/subcollections/results.rb
+++ b/app/controllers/api/subcollections/results.rb
@@ -2,11 +2,11 @@ module Api
   module Subcollections
     module Results
       def find_results(id)
-        MiqReportResult.for_user(@auth_user_obj).find(id)
+        MiqReportResult.for_user(User.current_user).find(id)
       end
 
       def results_query_resource(object)
-        object.miq_report_results.for_user(@auth_user_obj)
+        object.miq_report_results.for_user(User.current_user)
       end
     end
   end

From 787a17019c3cfd35277a6a0e1b9e4642d12c344a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 9 May 2017 12:49:29 +0200
Subject: [PATCH 11/12] Create the report with ownership for the newest tests

---
 spec/requests/api/reports_spec.rb | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/spec/requests/api/reports_spec.rb b/spec/requests/api/reports_spec.rb
index 7c68bbd6cf5..51ce7533174 100644
--- a/spec/requests/api/reports_spec.rb
+++ b/spec/requests/api/reports_spec.rb
@@ -113,6 +113,17 @@
       expect_result_to_match_hash(response.parsed_body, "result_set" => [])
       expect(response).to have_http_status(:ok)
     end
+
+    it "returns an empty result set if none has been run" do
+      report = FactoryGirl.create(:miq_report_with_results, :miq_group => user.current_group)
+      report_result = report.miq_report_results.first
+
+      api_basic_authorize
+      run_get "#{reports_url(report.id)}/results/#{report_result.id}"
+
+      expect_result_to_match_hash(response.parsed_body, "result_set" => [])
+      expect(response).to have_http_status(:ok)
+    end
   end
 
   it "can fetch all the schedule" do
@@ -181,17 +192,6 @@
     expect(response).to have_http_status(:forbidden)
   end
 
-  it "returns an empty result set if none has been run" do
-    report = FactoryGirl.create(:miq_report_with_results)
-    report_result = report.miq_report_results.first
-
-    api_basic_authorize
-    run_get "#{reports_url(report.id)}/results/#{report_result.id}"
-
-    expect_result_to_match_hash(response.parsed_body, "result_set" => [])
-    expect(response).to have_http_status(:ok)
-  end
-
   context "with an appropriate role" do
     it "can run a report" do
       report = FactoryGirl.create(:miq_report)

From 36e042b5301eda3974b355efcb8a9b3e446ab5eb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= <isimluk@fedoraproject.org>
Date: Tue, 9 May 2017 13:46:14 +0200
Subject: [PATCH 12/12] Create MiqReportResult accessible by current_user.

---
 spec/requests/api/collections_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/requests/api/collections_spec.rb b/spec/requests/api/collections_spec.rb
index 28807c6d406..e6d8de4b893 100644
--- a/spec/requests/api/collections_spec.rb
+++ b/spec/requests/api/collections_spec.rb
@@ -438,7 +438,7 @@ def test_collection_bulk_query(collection, collection_url, klass, id = nil)
     end
 
     it "bulk query Report Results" do
-      FactoryGirl.create(:miq_report_result)
+      FactoryGirl.create(:miq_report_result, :miq_group => @user.current_group)
       test_collection_bulk_query(:results, results_url, MiqReportResult)
     end