Project

General

Profile

Bug #30394

50/50 chance to create role filter with non-admin user and enough permissions

Added by Shira Maximov over 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondřej Ezr
Category:
Users, Roles and Permissions
Target version:
2.5.1
Difficulty:
Triaged:
No
Bugzilla link:
1845498
Pull request:
https://github.com/theforeman/foreman/pull/8616, https://github.com/theforeman/foreman/pull/8422
Fixed in Releases:
2.5.1, 3.0.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1845498

Description of problem:
The error "Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations" is printed sometimes even with enough permissions for execution of the command:

  1. hammer --config configFile.yml --output json filter create --role roleName --permissions "permissionName"

Version-Release number of selected component (if applicable):
hammer 0.17.1

How reproducible:
hammer will sometimes success and sometimes not. When in loop you may see fails and success with not changed user role.

Steps to Reproduce:
1. Create Satellite user x
2. Create a /root/.hammer/cli_test.yml config file with the following content:

:foreman:
:host: <hostname>
:username: <userName>
:password: <password>

3. Create Role and add permissions below to the user created in the step 1.
(Miscellaneous) escalate_roles
Auth source view_authenticators
Bookmark view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
External usergroup view_external_usergroups, create_external_usergroups, edit_external_usergroups, destroy_external_usergroups
Filter view_filters, create_filters, edit_filters, destroy_filters
Organization view_organizations
Role view_roles, create_roles, edit_roles, destroy_roles
Subscription attach_subscriptions, unattach_subscriptions
Usergroup view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups

4. Add Role from 3. to user from 1.
5. Create new role

  1. hammer --config /root/.hammer/cli_test.yml role create --name test_role --organizations <organization>

6. Create new filter for test_role

  1. hammer --config /root/.hammer/cli_test.yml filter create --role test_role --permissions "access_dashboard"

Actual results:
Sometimes
"Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations"

Sometimes
"Permission filter for [] created."

Expected results:
"Permission filter for [] created."

Associated revisions

Revision 2a0ad914 (diff)
Added by Ondřej Ezr almost 2 years ago

Fixes #30394 - allow non-admins deal with untaxed filters

Prior this non-admin user would have to have assigned Role without
taxonomies (global role) to be able to manipulate filters.
This allows manipulating Filters to any User with Filter perms.

Filters with taxonomies mean they apply to taxonomy. But given they have
taxonomies relations, they are expected to be taxable in our permission
model. All taxable resources have to have the same taxonomies as Filter
have.

Some filters doesn't have taxonomies as their underlying resource
doesn't have taxonomies. That mean they were unable to be touched by
non-admins prior this patch.

This also drops current taxonomy relations in migration and force flip
the `Override` flag to false for Filter resource filters.

Revision 44764290 (diff)
Added by Ondřej Ezr almost 2 years ago

Refs #30394 - rename taxable checks

This renames the taxable check methods on Filter to better express
what they mean. We want to know it the resource is taxable, not if it
has search on taxonomy.

History

#1 Updated by Tomer Brisker over 2 years ago

  • Category set to Users, Roles and Permissions

#2 Updated by Ondřej Ezr about 2 years ago

In development this always fails because of taxonomies.
Filter look like taxable, even though they are not taxable, their taxonomy assignment means "Filter applies to taxonomies".

This should be IMHO fixed by disabling taxonomy check on Filter permission checking.

#3 Updated by The Foreman Bot about 2 years ago

  • Assignee set to Ondřej Ezr
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/8422 added

#4 Updated by The Foreman Bot almost 2 years ago

  • Fixed in Releases 3.0.0 added

#5 Updated by The Foreman Bot almost 2 years ago

  • Fixed in Releases deleted (3.0.0)

#6 Updated by Ondřej Ezr almost 2 years ago

  • Status changed from Ready For Testing to Closed

#7 Updated by Tomer Brisker almost 2 years ago

  • Fixed in Releases 3.0.0 added

#8 Updated by The Foreman Bot almost 2 years ago

  • Pull request https://github.com/theforeman/foreman/pull/8616 added

#9 Updated by Tomer Brisker almost 2 years ago

  • Target version set to 2.5.1

#10 Updated by Tomer Brisker almost 2 years ago

  • Fixed in Releases 2.5.1 added

Also available in: Atom PDF