Description of problem:

Non-admin users with access to create ManagedClusterView in a managed cluster namespace cannot see search results for the cluster.

In addition, application aggregation depends on the ServiceAccount having this permission, so no remote applications can be listed. In this case, the effect applies to all users, not only non-admin users.

Version-Release number of selected component (if applicable):

ACM 2.12.1

How reproducible:

Always

Steps to Reproduce:

1. Set up a cluster with at least 1 managed cluster other than the local hub
2. Log in with non-admin user that has permission to create ManagedClusterView in the managed cluster namespace
3. Attempt to search for resources on the managed cluster, or view applications (including built-in OCP apps) on the managed cluster

Actual results:

No results will be found.

Expected results:

User should see these resources.

Additional info:

Problematic code is at this location. The security was tightened by verifying the API group, but the incorrect API group was added (cluster.open-cluster-management.io instead of view.open-cluster-management.io.

https://github.com/stolostron/search-v2-api/blob/main/pkg/rbac/userData.go#L366

https://github.com/stolostron/search-v2-api/blob/release-2.12/pkg/rbac/userData.go#L366