Project

General

Profile

Actions
Copy link

Bug #38731

closed

User's organization and location membership is not propagated to authorization checks

Added by Adam Ruzicka 6 months ago. Updated 4 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Adam Ruzicka
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
https://github.com/theforeman/foreman/pull/10701
Fixed in Releases:
3.17.0
Found in Releases:
Red Hat JIRA:
SAT-38164

Description

Steps to reproduce:
1) Have orgnizations org1 and org2
2) Create a user 'u'
3) Assign the user to org1
4) Create domain 'd1' in org1
5) Create domain 'd2' in org2
6) Create a custom role, do not set any taxonomies on the role, add view_domains permission to it
7) In rails console:

> User.current = User.find_by(login: 'u')
-----B<-----SNIP-----B<-----

> ::Domain.unscoped.authorized(:view_domains).map(&:name)
['d1', 'd2']

Actual results:
The console query finds both domains

Expected results:
The console query finds only one domain

Note:
On Foreman resources, there is a default scope that performs the organization and location scoping, hence the unscoped.

The common assumption is that what user is allowed to do is an intersection of what the user's permissions allow and what organizations and locations the user belongs to, but currently the authorize helper (and friends) only deals with permissions. The goal of this issue is to make that assumption hold.

Related issues 2 (0 open2 closed)

Related to Katello - Bug #38844: Adjust tests to taxonomy checks being done as part of authorization checksClosedAdam RuzickaActions
Related to Ansible - Bug #39024: Adjust tests to taxonomy check related changes in ForemanClosedAdam RuzickaActions
Actions
Copy link
 #1

Updated by Adam Ruzicka 6 months ago

  • Red Hat JIRA set to SAT-38164
Actions
Copy link
 #2

Updated by Adam Ruzicka 6 months ago

  • Category changed from Security to Users, Roles and Permissions
Actions
Copy link
 #3

Updated by Adam Ruzicka 6 months ago

Katello-flavored steps to reproduce:
1) Have orgnizations org1 and org2
2) Create a user 'u'
3) Assign the user to org1
4) Create product 'p1' in org1
5) Create domain 'p2' in org2
6) Create a custom role, do not set any taxonomies on the role, add view_products permission to it
7) In rails console:

User.current = User.find_by(login: 'u')
-----B<-----SNIP-----B<-----

> ::Katello::Product.authorized(:view_products).map(&:name)
['p1', 'p2']
Actions
Copy link
 #4

Updated by Adam Ruzicka 5 months ago

  • Related to Bug #38844: Adjust tests to taxonomy checks being done as part of authorization checks added
Actions
Copy link
 #5

Updated by The Foreman Bot 5 months ago

  • Status changed from New to Ready For Testing
  • Assignee set to Adam Ruzicka
  • Pull request https://github.com/theforeman/foreman/pull/10701 added
Actions
Copy link
 #6

Updated by The Foreman Bot 4 months ago

  • Fixed in Releases 3.17.0 added
Actions
Copy link
 #7

Updated by Adam Ruzicka 4 months ago

  • Status changed from Ready For Testing to Closed
Actions
Copy link
 #8

Updated by Adam Ruzicka about 2 months ago

  • Related to Bug #39024: Adjust tests to taxonomy check related changes in Foreman added
Actions
Copy link

Also available in: Atom PDF