Project

General

Profile

Bug #5578

Cant set permissions on specific resource types

Added by Partha Aji almost 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Category:
Authorization
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

Foreman's permission system infers the aclable routing paths from the model/resource type name. For example in https://github.com/Katello/katello/blob/roles/app/policies/katello/permissions/sync_plan_permissions.rb#L9 for sync plan permissions, the route to be acl'ed when "view_sync_plans" permission is selected is determined from doing some magic and translating the resource type name Katello::SyncPlan => Katello.find(sync_plans_path). The issue occurs when model name does not exactly correspond to the paths. Take the example of some permission policy that looks like
permission :view_lifecycle_environments, {
'katello/api/v2/environments' => [:index, :show]
},
:resource_type => 'Katello::KTEnvironment'

Now the Katello::KTEnvironment gets translated to -> Katello.find(kt_environments_path) .. Unfortunately such a path does not exist, since in Katello even though we have a model named as KTEnvironment, the routing and the controllers all point to "environments_path". Katello.find(environments_path)'

We need a way in the foreman permissions system to set this up.


Related issues

Is duplicate of Foreman - Bug #5553: Filter create/edit breaks if the resource type does not have a corresponding controller with 'autocomplete_search'Closed2014-05-02
Blocks Katello - Feature #5217: As a user, I should have CRUD permissions for all entities that are exposed to me.Closed2014-04-16

History

#1 Updated by Partha Aji almost 5 years ago

  • Blocks Feature #5217: As a user, I should have CRUD permissions for all entities that are exposed to me. added

#2 Updated by Dominic Cleal almost 5 years ago

  • Category set to Authorization

#3 Updated by Dmitri Dolguikh almost 5 years ago

  • Status changed from New to Feedback

To solve this problem you'll need to do two things:
- have a way of extracting/mapping of resource/action pairs from/to Katello urls
- override Foreman::Controller::Authentication#authorized and use resource/action pair from the previous step to resolve authorization

Permission definitions can stay as in your example.

#4 Updated by Dmitri Dolguikh almost 5 years ago

  • Is duplicate of Bug #5553: Filter create/edit breaks if the resource type does not have a corresponding controller with 'autocomplete_search' added

#5 Updated by Dmitri Dolguikh almost 5 years ago

  • Status changed from Feedback to Closed

Also available in: Atom PDF