Bug #37531
open
Autocomplete feature for search shows content from forbidden organization for user
Description
In the current version of Foreman, the auto-complete feature for search-bars does not respect organizations.
Steps to Reproduce:
1. Create two organization (org-1, org-2)
2. Create a user for org-2 (User cannot see org-1)
3. On UI page "Hosts->AllHosts" or "Hosts->ContentHosts" page write an option e.g. "lifecycle_environment = " or "content_view = " in search field.
4. We get a list of content from both organization org-1 and org-2.
Actual results:
We get a list of content from both organization org-1 and org-2 if we choose one of the search options above mentioned
Expected results:
We should get only the list recommended content from users' organization (org-2 in this case)
Files
Updated by The Foreman Bot over 1 year ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/10197 added
Updated by Thorben Denzer over 1 year ago
ยท Edited
The created users may be given the administrator role.
Updated by
Updated by The Foreman Bot 6 months ago
- Pull request https://github.com/theforeman/foreman/pull/10645 added
Updated by Adam Ruzicka 6 months ago
- Related to Bug #38656: Autocomplete feature for search shows content from forbidden organization for user added
Updated by Adam Ruzicka 5 months ago
- Related to Bug #38727: Autocomplete feature for search shows content that should be forbidden by RBAC added
Updated by Adam Ruzicka 5 months ago
- Pull request deleted (
https://github.com/theforeman/foreman/pull/10645)
Updated by Adam Ruzicka 5 months ago
To capture notes from the two PRs[1,2]. There are two methods how permissions can be scoped. Approach A is described in the steps to reproduce in this issue - user is granted permissions through roles not assigned to any organization, but belongs to a specific organization. Issue 38727 takes the other approach (approach B) - the user is granted permissions through roles assigned to organizations. In layman's terms it is "a user can do anything and belongs to a certain org" while the latter is "a user can do things only in a certain org and belongs to it.
In the context of this issue, approach A works for probably all Foreman resources, because all of those resources declare a default scope which limits the results to things belonging to the current organization and location. Katello resources do not do this. There are at least three approaches that could be taken:
1) Add a taxonomy-aware default scope to all katello resources
2) Declare a default autocompletion scope (similarly to what is done in a fix for [2]), but make it enforce taxonomy scoping instead of just checking permissions. Sadly katello doesn't seem to implement the same interface for this as Foreman
3) Make Authorizable#authorized be current taxonomy-aware instead of it being strictly permission-based as it is now
[1] - https://github.com/theforeman/foreman/pull/10197
[2] - https://github.com/theforeman/foreman/pull/10645
Updated by Adam Ruzicka 5 months ago
- Related to deleted (Bug #38656: Autocomplete feature for search shows content from forbidden organization for user)