Project

General

Profile

Bug #5909

Editing host fails for non-admin user with fact filter

Added by m w about 5 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Authorization
Target version:
Difficulty:
Triaged:
Bugzilla link:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

When a non-administrator tries edit anything about a host, this error is displayed. This includes, but is not limited to, adding or removing a class from a host, changing a parameter, or adding a comment. Role filters are attached as a screenshot.

ActiveRecord::ReadOnlyRecord
ActiveRecord::ReadOnlyRecord
app/models/concerns/foreman/sti.rb:29:in `save_with_type'
app/controllers/hosts_controller.rb:117:in `block in update'
app/models/taxonomy.rb:41:in `block in no_taxonomy_scope'
app/models/taxonomy.rb:48:in `block (2 levels) in as_taxonomy'
app/models/concerns/foreman/thread_session.rb:143:in `as_location'
app/models/taxonomy.rb:47:in `block in as_taxonomy'
app/models/concerns/foreman/thread_session.rb:108:in `as_org'
app/models/taxonomy.rb:46:in `as_taxonomy'
app/models/taxonomy.rb:40:in `no_taxonomy_scope'
app/controllers/hosts_controller.rb:109:in `update'
app/models/concerns/foreman/thread_session.rb:33:in `clear_thread'
lib/middleware/catch_json_parse_errors.rb:9:in `call'


Related issues

Blocks Foreman - Tracker #4552: New permissions/authorization system issuesNew

Associated revisions

Revision 0d80512c (diff)
Added by Dominic Cleal over 4 years ago

fixes #5909 - return r/w resources from authorized scope

Revision 4f08c522 (diff)
Added by Dominic Cleal about 4 years ago

fixes #5909 - return r/w resources from authorized scope

(cherry picked from commit 0d80512c3293895750ffda82489b719c38ec5612)

History

#1 Updated by m w about 5 years ago

This is version 1.5.0 installed from rpm

#2 Updated by m w about 5 years ago

Started PUT "/hosts/abacus0.isis.unc.edu" for 152.19.250.39 at 2014-05-23 08:58:17 -0400
Processing by HostsController#update as */*
Parameters: {"utf8"=>"✓", "authenticity_token"=>"REMOVED", "host"=>{"name"=>"abacus0.isis.unc.edu", "hostgroup_id"=>"", "environment_id"=>"1", "puppet_ca_proxy_id"=>"1", "puppet_proxy_id"=>"1", "puppetclass_ids"=>["", "42", "47", "51", "717", "215", "217", "828", "407", "822"], "managed"=>"f", "progress_report_id"=>"[FILTERED]", "lookup_values_attributes"=>"[FILTERED]", "host_parameters_attributes"=>{"0"=>{"name"=>"sm_customer", "value"=>"[FILTERED]", "nested"=>"", "id"=>"1246"}, "1"=>{"name"=>"sudo__full_sudo_groups", "value"=>"[FILTERED]", "nested"=>"", "id"=>"829"}}, "is_owned_by"=>"2-Users", "enabled"=>"1", "model_id"=>"2", "comment"=>"", "overwrite"=>"false"}, "id"=>"abacus0.isis.unc.edu"}
Operation FAILED: ActiveRecord::ReadOnlyRecord
Rendered common/500.html.erb (4.2ms)
Completed 500 Internal Server Error in 145ms (Views: 5.0ms | ActiveRecord: 40.7ms)

#3 Updated by m w about 5 years ago

Sorry, please downgrade this from High. This only seems to cause an error when the search is based on a fact:

Host/managed view_hosts, edit_hosts facts.customer = mycustomer

#4 Updated by Joseph Magen almost 5 years ago

  • Priority changed from High to Normal

#5 Updated by Adam Winberg over 4 years ago

I' also getting this with 1.7.1 while setting while using a role with a search filter on "Host/managed" based on a fact. If I remove the filter and use 'unlimited' instead or filter on for example hostgroup, it works.

I would think this would've been resolved after 8 months, or can you not reproduce it? In a devop environment its pretty important to be able to filter host permissions based on facts.

#6 Updated by Dominic Cleal over 4 years ago

  • Blocks Tracker #4552: New permissions/authorization system issues added

#7 Updated by Dominic Cleal over 4 years ago

  • Category set to Authorization

#8 Updated by Anthony Lapenna over 4 years ago

Same issue in 1.7.1 when a user try to override a class parameter.

Also got a role with a search filter on "Host/managed" based on a fact.

#9 Updated by Dominic Cleal over 4 years ago

  • Subject changed from removing class from a host fails for non-admin user to Editing host fails for non-admin user with fact filter
  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

#10 Updated by The Foreman Bot over 4 years ago

  • Status changed from Assigned to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/2286 added
  • Pull request deleted ()

#11 Updated by Marek Hulán over 4 years ago

  • Legacy Backlogs Release (now unused) set to 35

#12 Updated by Dominic Cleal over 4 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#13 Updated by Dominic Cleal over 4 years ago

  • Legacy Backlogs Release (now unused) changed from 35 to 50

Also available in: Atom PDF