Bug #17314

Non-admin user with edit_subnets permissions (etc) cannot edit subnets

Added by Dominic Cleal about 1 year ago. Updated about 1 year ago.

Status:Closed
Priority:Normal
Assigned To:Dominic Cleal
Category:Authorization
Target version:-
Difficulty: Bugzilla link:
Found in release: Pull request:https://github.com/theforeman/foreman/pull/4014
Story points-
Velocity based estimate-
Release1.13.2Release relationshipAuto

Description

For a non-admin user with a role granting:

  • view_subnets, create_subnets, edit_subnets, destroy_subnets, import_subnets

with unlimited scope, the edit/destroy links on the subnets UI index are greyed out or missing.

The log shows:

2016-11-11T09:22:13 93379cee [app] [I] Started GET "/subnets" for 127.0.0.1 at 2016-11-11 09:22:13 +0000
2016-11-11T09:22:13 93379cee [app] [I] Processing by SubnetsController#index as HTML
2016-11-11T09:22:13 93379cee [sql] [D]   ActiveRecord::SessionStore::Session Load (0.1ms)  SELECT  "sessions".* FROM "sessions" WHERE "sessions"."session_id" = ?  ORDER BY "sessions"."id" ASC LIMIT 1  [["session_id", "93379cee4fc807faacc48d1adc6fcef2"]]
2016-11-11T09:22:13 93379cee [sql] [D]   User Load (0.1ms)  SELECT  "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 66]]
2016-11-11T09:22:13 93379cee [app] [D] Setting current user thread-local variable to 16739test
2016-11-11T09:22:13 93379cee [sql] [D]   AuthSource Load (0.1ms)  SELECT  "auth_sources".* FROM "auth_sources" WHERE "auth_sources"."id" = ? LIMIT 1  [["id", 1]]
2016-11-11T09:22:13 93379cee [sql] [D]   Usergroup Load (0.2ms)  SELECT "usergroups".* FROM "usergroups" INNER JOIN "cached_usergroup_members" ON "usergroups"."id" = "cached_usergroup_members"."usergroup_id" WHERE "cached_usergroup_members"."user_id" = ?  ORDER BY usergro
ups.name  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [sql] [D]   Role Load (0.3ms)  SELECT DISTINCT "roles".* FROM "roles" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ?  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [sql] [D]    (0.2ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ?  ORDE
R BY filters.role_id, filters.id  [["role_id", 8]]
2016-11-11T09:22:13 93379cee [sql] [D]    (0.2ms)  SELECT permissions.name FROM "permissions" INNER JOIN "filterings" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "filters" ON "filterings"."filter_id" = "filters"."id" WHERE "filters"."role_id" = ?  ORDE
R BY filters.role_id, filters.id  [["role_id", 46]]
2016-11-11T09:22:13 93379cee [sql] [D]   Subnet Load (0.4ms)  SELECT  "subnets".* FROM "subnets"  ORDER BY vlanid LIMIT 1
2016-11-11T09:22:13 93379cee [permissions] [D] checking permission view_subnets
2016-11-11T09:22:13 93379cee [sql] [D]   Filter Load (0.1ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filter
s"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'Subnet') AND (permissions.name = 'view_subnets')  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [permissions] [D] filter with role_id: 46 limited: false search:  taxonomy_search: 
2016-11-11T09:22:13 93379cee [sql] [D]   SQL (0.3ms)  SELECT  DISTINCT "subnets"."id" FROM "subnets" LEFT OUTER JOIN "subnet_domains" ON "subnet_domains"."subnet_id" = "subnets"."id" LEFT OUTER JOIN "domains" ON "domains"."id" = "subnet_domains"."domain_id" LEFT OUTER JOI
N "smart_proxies" ON "smart_proxies"."id" = "subnets"."dhcp_id"  ORDER BY vlanid LIMIT 20 OFFSET 0
2016-11-11T09:22:13 93379cee [sql] [D]   SQL (0.7ms)  SELECT "subnets"."id" AS t0_r0, "subnets"."network" AS t0_r1, "subnets"."mask" AS t0_r2, "subnets"."priority" AS t0_r3, "subnets"."name" AS t0_r4, "subnets"."vlanid" AS t0_r5, "subnets"."created_at" AS t0_r6, "subnets" 
."updated_at" AS t0_r7, "subnets"."dhcp_id" AS t0_r8, "subnets"."tftp_id" AS t0_r9, "subnets"."gateway" AS t0_r10, "subnets"."dns_primary" AS t0_r11, "subnets"."dns_secondary" AS t0_r12, "subnets"."from" AS t0_r13, "subnets"."to" AS t0_r14, "subnets"."dns_id" AS t0_r15, " 
subnets"."ipam" AS t0_r16, "subnets"."boot_mode" AS t0_r17, "subnets"."type" AS t0_r18, "domains"."id" AS t1_r0, "domains"."name" AS t1_r1, "domains"."fullname" AS t1_r2, "domains"."created_at" AS t1_r3, "domains"."updated_at" AS t1_r4, "domains"."dns_id" AS t1_r5, "smart
_proxies"."id" AS t2_r0, "smart_proxies"."name" AS t2_r1, "smart_proxies"."url" AS t2_r2, "smart_proxies"."created_at" AS t2_r3, "smart_proxies"."updated_at" AS t2_r4, "smart_proxies"."expired_logs" AS t2_r5 FROM "subnets" LEFT OUTER JOIN "subnet_domains" ON "subnet_domai
ns"."subnet_id" = "subnets"."id" LEFT OUTER JOIN "domains" ON "domains"."id" = "subnet_domains"."domain_id" LEFT OUTER JOIN "smart_proxies" ON "smart_proxies"."id" = "subnets"."dhcp_id" WHERE "subnets"."id" IN (1, 4, 5, 6, 7, 8, 13)  ORDER BY vlanid
2016-11-11T09:22:13 93379cee [permissions] [D] checking permission edit_subnets
2016-11-11T09:22:13 93379cee [sql] [D]   Filter Load (0.3ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filter
s"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'Subnet::Ipv4') AND (permissions.name = 'edit_subnets')  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [permissions] [D] 
2016-11-11T09:22:13 93379cee [permissions] [D] no filters found for given permission
2016-11-11T09:22:13 93379cee [sql] [D]   Subnet::Ipv4 Load (0.5ms)  SELECT "subnets".* FROM "subnets" WHERE "subnets"."type" IN ('Subnet::Ipv4') AND (1=0)  ORDER BY vlanid
2016-11-11T09:22:13 93379cee [permissions] [D] checking permission destroy_subnets
2016-11-11T09:22:13 93379cee [sql] [D]   Filter Load (0.1ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filter
s"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'Subnet::Ipv4') AND (permissions.name = 'destroy_subnets')  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [permissions] [D] 
2016-11-11T09:22:13 93379cee [permissions] [D] no filters found for given permission
2016-11-11T09:22:13 93379cee [sql] [D]   CACHE (0.0ms)  SELECT "subnets".* FROM "subnets" WHERE "subnets"."type" IN ('Subnet::Ipv4') AND (1=0)  ORDER BY vlanid
2016-11-11T09:22:13 93379cee [permissions] [D] checking permission edit_subnets
2016-11-11T09:22:13 93379cee [sql] [D]   Filter Load (0.1ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filter
s"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'Subnet::Ipv6') AND (permissions.name = 'edit_subnets')  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [permissions] [D] 
2016-11-11T09:22:13 93379cee [permissions] [D] no filters found for given permission
2016-11-11T09:22:13 93379cee [sql] [D]   Subnet::Ipv6 Load (0.3ms)  SELECT "subnets".* FROM "subnets" WHERE "subnets"."type" IN ('Subnet::Ipv6') AND (1=0)  ORDER BY vlanid
2016-11-11T09:22:13 93379cee [permissions] [D] checking permission destroy_subnets
2016-11-11T09:22:13 93379cee [sql] [D]   Filter Load (0.3ms)  SELECT "filters".* FROM "filters" INNER JOIN "filterings" ON "filterings"."filter_id" = "filters"."id" INNER JOIN "permissions" ON "permissions"."id" = "filterings"."permission_id" INNER JOIN "roles" ON "filter
s"."role_id" = "roles"."id" INNER JOIN "cached_user_roles" ON "roles"."id" = "cached_user_roles"."role_id" WHERE "cached_user_roles"."user_id" = ? AND (permissions.resource_type = 'Subnet::Ipv6') AND (permissions.name = 'destroy_subnets')  [["user_id", 66]]
2016-11-11T09:22:13 93379cee [permissions] [D] 
2016-11-11T09:22:13 93379cee [permissions] [D] no filters found for given permission
2016-11-11T09:22:13 93379cee [sql] [D]   CACHE (0.0ms)  SELECT "subnets".* FROM "subnets" WHERE "subnets"."type" IN ('Subnet::Ipv6') AND (1=0)  ORDER BY vlanid
2016-11-11T09:22:13 93379cee [app] [I]   Rendered subnets/index.html.erb within layouts/application (67.5ms)

The resource_type being searched for is Subnet::Ipv4 and Subnet::Ipv6, but there are not separate permissions for the IPv4/6 subnet subclasses. They should be aliased to Subnet.


Related issues

Related to Foreman - Refactor #14638: Refactor Subnet into STI to allow different subnet types Closed 04/14/2016

Associated revisions

Revision b628f373
Added by Dominic Cleal about 1 year ago

fixes #17314 - use *_subnets permissions for Subnet subclasses

Revision 2e6a06a4
Added by Dominic Cleal 12 months ago

fixes #17314 - use *_subnets permissions for Subnet subclasses

(cherry picked from commit b628f37369dead0a247bd6d5857bb2cafd223e77)

History

#1 Updated by Dominic Cleal about 1 year ago

  • Related to Refactor #14638: Refactor Subnet into STI to allow different subnet types added

#2 Updated by The Foreman Bot about 1 year ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/4014 added

#3 Updated by Daniel Lobato Garcia about 1 year ago

  • Release set to 1.13.2

#4 Updated by Dominic Cleal about 1 year ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

Also available in: Atom PDF