Project

General

Profile

Bug #30880

Add permission support to validate 404 on denial and multi permissions

Added by Partha Aji almost 2 years ago. Updated almost 2 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Security
Target version:
Difficulty:
Triaged:
Yes
Bugzilla link:
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

The current testing framework does not handle 404s on denial. This behaviour is consistent with foreman, 404 instead of 403 if object not authorized. 403 is only when route is not authorized.
We need to add support to this.
The current authorization does not handle multi permissions also. For example destroy_content_views and promote_or_remove_content_views either support 'removing' a content view. However the controller authorizer does not handle this correctly.


Related issues

Blocks Katello - Tracker #30872: Use proper authorization in controllersClosed

Associated revisions

Revision e2026d90 (diff)
Added by Partha Aji almost 2 years ago

Fixes #30880 - Permission support to validate 404 (#8956)

This commit enables checking authorizing a specific instance and ensure
that it handles 404 correctly.
It also adds support for multi possible permissions for same action.
For example destroy_content_views and promote_or_remove_content_views
Either support 'removing' a content view.
This commit adds support to handle that.

History

#1 Updated by Partha Aji almost 2 years ago

  • Blocks Tracker #30872: Use proper authorization in controllers added

#2 Updated by The Foreman Bot almost 2 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/Katello/katello/pull/8956 added

#3 Updated by The Foreman Bot almost 2 years ago

  • Fixed in Releases Katello 4.0.0 added

#4 Updated by Partha Aji almost 2 years ago

  • Status changed from Ready For Testing to Closed

#5 Updated by Ian Ballou almost 2 years ago

  • Target version set to Katello 3.18.0

#6 Updated by Ian Ballou almost 2 years ago

  • Triaged changed from No to Yes

Also available in: Atom PDF