commit 7eeafa76c8241552bbcb1edf9a5303e6706a9c61
author Abhishek Patel <Abhishek.Patel@ibm.com> Wed Jul 28 10:59:16 2021 -0500
committer Ed Tanous <ed@tanous.net> Thu Aug 05 21:33:43 2021 +0000
tree d936ba8f366215a1c5b324e4d3105d71875065d9
parent ff3f835ad47f7a4f61d5fe9345dccdd3e496c47c

Fix event_service privileges

Post method:
  1) redfish/v1/EventService/Subscriptions/
      ConfigureManager -> [ConfigureManager or ConfigureComponents]

  This change allows Admin and Operator both users to subscribe to the
  particular event, where only admin user has the ability before this
  change.

Tested: manually tested on Witherspoon system. Only ConfigureManager or
        ConfigureComponents privilege users can subscribe to an event.

TestURL:
curl -k -H "X-Auth-Token: $bmc_token"  -X POST -d
 '{"Context": "9.3.147.232",
  "DeliveryRetryPolicy": "TerminateAfterRetries",
  "Destination": "https://9.3.147.232:17443/redfish/events",
  "EventFormatType": "Event",
  "MessageIds": [],
  "MetricReportDefinitions": [],
  "Protocol": "Redfish",
  "RegistryPrefixes": [],
  "ResourceTypes": [],
  "SubscriptionType": "RedfishEvent"}'
https://${BMC_IP}/redfish/v1/EventService/Subscriptions

Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com>
Change-Id: I4d3bcfaab7f5a00ada99a30fdb8f17d85531a2a8

redfish-core/lib/event_service.hpp

diff --git a/redfish-core/lib/event_service.hpp b/redfish-core/lib/event_service.hpp
index f1d6f50..67ad014 100644
--- a/redfish-core/lib/event_service.hpp
+++ b/redfish-core/lib/event_service.hpp
@@ -194,10 +194,7 @@
                 }
             });
     BMCWEB_ROUTE(app, "/redfish/v1/EventService/Subscriptions/")
-        // The below privilege is wrong, it should be ConfigureManager OR
-        // ConfigureComponents
-        //.privileges(redfish::privileges::postEventDestinationCollection)
-        .privileges({{"ConfigureManager"}})
+        .privileges(redfish::privileges::postEventDestinationCollection)
         .methods(boost::beast::http::verb::post)(
             [](const crow::Request& req,
                const std::shared_ptr<bmcweb::AsyncResp>& asyncResp) {
@@ -542,12 +539,10 @@
                 asyncResp->res.jsonValue["MetricReportDefinitions"] =
                     mrdJsonArray;
             });
-    /////redfish/v1/EventService/Subscriptions/
-    // ConfigureManager
     BMCWEB_ROUTE(app, "/redfish/v1/EventService/Subscriptions/<str>/")
         // The below privilege is wrong, it should be ConfigureManager OR
         // ConfigureSelf
-        // TODO(ed) follow up with DMTF spec and understand ConfigureSelf
+        // https://github.com/openbmc/bmcweb/issues/220
         //.privileges(redfish::privileges::patchEventDestination)
         .privileges({{"ConfigureManager"}})
         .methods(boost::beast::http::verb::patch)(
@@ -604,6 +599,7 @@
     BMCWEB_ROUTE(app, "/redfish/v1/EventService/Subscriptions/<str>/")
         // The below privilege is wrong, it should be ConfigureManager OR
         // ConfigureSelf
+        // https://github.com/openbmc/bmcweb/issues/220
         //.privileges(redfish::privileges::deleteEventDestination)
         .privileges({{"ConfigureManager"}})
         .methods(boost::beast::http::verb::delete_)(