Steering endpoint is accessible to a user that doesn't have steering role.

[lbathina]

I'm submitting a ...

• [X] bug report
• [ ] new feature / enhancement request
• [ ] improvement request (usability, performance, tech debt, etc.)
• [ ] other

Traffic Control components affected ...

• [ ] CDN in a Box
• [ ] Documentation
• [ ] Grove
• [ ] Traffic Control Client
• [ ] Traffic Monitor
• [X] Traffic Ops
• [ ] Traffic Ops ORT
• [ ] Traffic Portal
• [ ] Traffic Router
• [ ] Traffic Stats
• [ ] Traffic Vault
• [ ] unknown

Current behavior:

use ort user or any user that has access privilege less than the steering user to request /api/<version>/steering/{{id}} api/<version>/steering/{{id}}/targets The response got is 200 OK

Expected / new behavior:

It makes more sense to give HTTP 403 Forbidden with error text something like You don't have permission for this action/method with your role

Minimal reproduction of the problem with instructions:

Anything else:

Response for steering Endpoint should indicate appropriate status code and message

[lbathina]

Guess this will not be bug as well. edit/delete operations are not allowed as expected. However, the PR #3507 did not clearly mention about the view access or access to get actions.