Project

General

Custom queries

Profile

Actions
Copy link

Bug #30394

closed

50/50 chance to create role filter with non-admin user and enough permissions

Added by Shira Maximov over 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ondřej Ezr
Category:
Users, Roles and Permissions
Target version:
2.5.1
Difficulty:
Triaged:
No
Bugzilla link:
1845498
Pull request:
https://github.com/theforeman/foreman/pull/8422, https://github.com/theforeman/foreman/pull/8616
Fixed in Releases:
2.5.1, 3.0.0
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1845498

Description of problem:
The error "Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations" is printed sometimes even with enough permissions for execution of the command:

  1. hammer --config configFile.yml --output json filter create --role roleName --permissions "permissionName"

Version-Release number of selected component (if applicable):
hammer 0.17.1

How reproducible:
hammer will sometimes success and sometimes not. When in loop you may see fails and success with not changed user role.

Steps to Reproduce:
1. Create Satellite user x
2. Create a /root/.hammer/cli_test.yml config file with the following content:

:foreman:
:host: <hostname>
:username: <userName>
:password: <password>

3. Create Role and add permissions below to the user created in the step 1.
(Miscellaneous) escalate_roles
Auth source view_authenticators
Bookmark view_bookmarks, create_bookmarks, edit_bookmarks, destroy_bookmarks
External usergroup view_external_usergroups, create_external_usergroups, edit_external_usergroups, destroy_external_usergroups
Filter view_filters, create_filters, edit_filters, destroy_filters
Organization view_organizations
Role view_roles, create_roles, edit_roles, destroy_roles
Subscription attach_subscriptions, unattach_subscriptions
Usergroup view_usergroups, create_usergroups, edit_usergroups, destroy_usergroups

4. Add Role from 3. to user from 1.
5. Create new role

  1. hammer --config /root/.hammer/cli_test.yml role create --name test_role --organizations <organization>

6. Create new filter for test_role

  1. hammer --config /root/.hammer/cli_test.yml filter create --role test_role --permissions "access_dashboard"

Actual results:
Sometimes
"Could not create the permission filter:
You don't have permission create_filters with attributes that you have specified or you don't have access to specified organizations or locations"

Sometimes
"Permission filter for [] created."

Expected results:
"Permission filter for [] created."

Added by Ondřej Ezr almost 4 years ago

Revision 2a0ad914 (diff)

Fixes #30394 - allow non-admins deal with untaxed filters

Prior this non-admin user would have to have assigned Role without
taxonomies (global role) to be able to manipulate filters.
This allows manipulating Filters to any User with Filter perms.

Filters with taxonomies mean they apply to taxonomy. But given they have
taxonomies relations, they are expected to be taxable in our permission
model. All taxable resources have to have the same taxonomies as Filter
have.

Some filters doesn't have taxonomies as their underlying resource
doesn't have taxonomies. That mean they were unable to be touched by
non-admins prior this patch.

This also drops current taxonomy relations in migration and force flip
the `Override` flag to false for Filter resource filters.

Added by Ondřej Ezr almost 4 years ago

Revision 44764290 (diff)

Refs #30394 - rename taxable checks

This renames the taxable check methods on Filter to better express
what they mean. We want to know it the resource is taxable, not if it
has search on taxonomy.

Actions
Copy link

Also available in: Atom PDF