Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check selected Service Catalog Item for RBAC #779

Merged
merged 10 commits into from
Mar 30, 2017
Merged

Check selected Service Catalog Item for RBAC #779

merged 10 commits into from
Mar 30, 2017

Conversation

romanblanco
Copy link
Member

method: servicetemplate_edit
reproduce: Services -> Catalogs -> Catalog Item -> Select Service Catalog Items -> (Edit Selected Item / Add a New Catalog Item / Add a New Catalog Bundle)

@romanblanco romanblanco changed the title Check selected Service Catalog Item for RBAC [WIP] Check selected Service Catalog Item for RBAC Mar 23, 2017
@miq-bot miq-bot added the wip label Mar 23, 2017
PanSpagetka
PanSpagetka reviewed Mar 24, 2017
View reviewed changes
app/controllers/catalog_controller.rb Outdated
@sb[:cached_waypoint_ids] = MiqAeClass.waypoint_ids_for_state_machines
checked[0] = params[:id] if checked.blank? && params[:id]
@record = checked[0] ? find_by_id_filtered(ServiceTemplate, checked[0]) : ServiceTemplate.new
@record = checked_id || ServiceTemplate.new
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

- @record = checked[0] ? find_by_id_filtered(ServiceTemplate, checked[0]) : ServiceTemplate.new
this was right

PanSpagetka
PanSpagetka reviewed Mar 24, 2017
View reviewed changes
app/controllers/catalog_controller.rb Outdated
assert_privileges(params[:pressed]) if params[:pressed]
checked = find_checked_items
assert_privileges(params[:pressed]) if params[:pressed].present?
checked_id = find_checked_id_items_with_rbac(ServiceTemplate).first || test_item_with_rbac(ServiceTemplate, params[:id])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this check is not needed here.

@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch from 2976866 to a10efa1 Compare March 24, 2017 09:50
@romanblanco romanblanco changed the title [WIP] Check selected Service Catalog Item for RBAC Check selected Service Catalog Item for RBAC Mar 24, 2017
@miq-bot miq-bot removed the wip label Mar 24, 2017
@romanblanco
Copy link
Member Author

romanblanco commented Mar 24, 2017
edited
Loading

@PanSpagetka thanks for the review 👍

@martinpovolny after my changes I've realised, this method was not problematic, but anyway, I think we could use the changes, after I took back what was wrong.

I've introduced a method test_item_with_rbac, that will be useful later, and the code should be now readable, working same as before.

@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch 4 times, most recently from 69a8ae0 to d38bf8b Compare March 24, 2017 15:08
romanblanco
romanblanco commented Mar 24, 2017
View reviewed changes
app/controllers/application_controller.rb Outdated
# Params:
# klass - class of accessed object
# id - accessed object id
def find_by_id_filtered(klass, id, options = {})
Copy link
Member Author

@romanblanco romanblanco Mar 24, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to change this methods name to find_item_with_rbac:

  • to stop getting comments like

    " ❗️ - Line 64, Col 37 - Rails/DynamicFindBy - Use find_by instead of dynamic find_by_id_filtered."

  • to have similar name as find_checked_items_with_rbac, that does the same, except for 2 or more items

any ideas before I do the change? @martinpovolny @PanSpagetka

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I aggree. It's good to rename the method so that Brakeman does not get confused.

@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch from d38bf8b to 3701f4b Compare March 24, 2017 15:16
@romanblanco
Check selected Service Catalog Item for RBAC
19d9369 
method: servicetemplate_edit
reproduce: Services -> Catalogs -> Catalog Item -> Select Service Catalog Items
           -> (Edit Selected Item / Add a New Catalog Item / Add a New Catalog Bundle)
@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch 3 times, most recently from 82a0212 to 3607a01 Compare March 29, 2017 14:12
@martinpovolny
Copy link
Member

@romanblanco : please, fix the failing spec, otherwise looks good 👍

@romanblanco
Don't fetch the same data from database twice
4284a0b 
Also I have removed unnecessary parameter for 'assert_rbac'.
It's not necessary to pass user in the argument when the method is always used used with current user
@romanblanco
Introduce method for checking single records on RBAC
e8dbc59
@romanblanco
Review response: Revert incorect changes
63ae9ce
@romanblanco
Removed method introduced in 067b4f8
fcd179f 
There is already a method that can be used for the same as the one I've introduced.
@romanblanco
Renamed method 'find_by_id_filtered' methods name to 'find_record_wit…
dad3455 
…h_rbac'

    - to stop getting comments like:
      " ❗️ - Line 64, Col 37 - Rails/DynamicFindBy - Use find_by instead of dynamic find_by_id_filtered."

    - to have similar name as 'find_checked_items_with_rbac' (that is still not expressive enough), that does the same, except for 2 or more items
@romanblanco
Added method for checking RBAC on record id
ec883d5 
Added again as it turns out the method is at least temporarily needed.
@romanblanco
Renamed method for finding ids checked in GTL list
c45960e 
Renamed 'find_checked_items_with_rbac' to 'find_checked_ids_with_rbac' that should be more clear
@romanblanco
Fixes spec failing
5064aaf 
Problem was that 'find' method raises ActiveRecord::RecordNotFound if id is not found, while 'find_by' returns nil.
I'll leave the spec correction and 'find_by' replacing for a different PR
@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch from 3607a01 to 5064aaf Compare March 30, 2017 06:06
@romanblanco
Copy link
Member Author

@martinpovolny fixed.

@martinpovolny
Copy link
Member 

   raise _("Selected %{model_name} no longer exists") % {:model_name => ui_lookup(:model => klass.to_s)}
 +    end
 +    Rbac.filtered_object(tested_object, :user => current_user, :named_scope => options[:named_scope]) ||
 +      raise(_("User '%{user_id}' is not authorized to access '%{model}' record id '%{record_id}'") %

Please, unify the error messages for the 2 cases so that we do not leak any info to an unauthorized user.

@romanblanco
Copy link
Member Author

@martinpovolny updated

@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch 3 times, most recently from c670110 to 6faf046 Compare March 30, 2017 12:08
@romanblanco romanblanco force-pushed the fix_rbac_catalog_servicetemplate_edit branch from 6faf046 to 59def9c Compare March 30, 2017 12:33
@miq-bot
Copy link
Member

miq-bot commented Mar 30, 2017

Checked commits romanblanco/manageiq-ui-classic@19d9369~...59def9c with ruby 2.2.6, rubocop 0.47.1, and haml-lint 0.20.0
39 files checked, 10 offenses detected

app/controllers/application_controller.rb

app/controllers/catalog_controller.rb

app/controllers/host_controller.rb

app/controllers/report_controller/reports/editor.rb

app/controllers/vm_common.rb

@martinpovolny martinpovolny merged commit 37c1d94 into ManageIQ:master Mar 30, 2017
@martinpovolny martinpovolny self-assigned this Mar 30, 2017
@martinpovolny martinpovolny added this to the Sprint 58 Ending Apr 10, 2017 milestone Mar 30, 2017
@romanblanco romanblanco deleted the fix_rbac_catalog_servicetemplate_edit branch March 30, 2017 13:03
simaishi pushed a commit that referenced this pull request Mar 30, 2017
@martinpovolny @simaishi
Merge pull request #779 from romanblanco/fix_rbac_catalog_servicetemp…
1c67f4c 
…late_edit

Check selected Service Catalog Item for RBAC
(cherry picked from commit 37c1d94)
@simaishi
Copy link
Contributor

Fine backport details:

$ git log -1
commit 1c67f4cc93c85bab606b9c59ba16098bf01304f9
Author: Martin Povolny <[email protected]>
Date:   Thu Mar 30 15:02:51 2017 +0200

    Merge pull request #779 from romanblanco/fix_rbac_catalog_servicetemplate_edit
    
    Check selected Service Catalog Item for RBAC
    (cherry picked from commit 37c1d94294958970a720c6aee196544562fd131e)

@martinpovolny martinpovolny mentioned this pull request Mar 30, 2017
Merged
@martinpovolny
Copy link
Member

to go with #857

@himdel himdel mentioned this pull request Apr 5, 2017
Merged
This was referenced Jun 6, 2017
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PanSpagetka PanSpagetka PanSpagetka left review comments

@martinpovolny martinpovolny martinpovolny left review comments

Assignees

@martinpovolny martinpovolny

Labels
bug fine/backported rbac
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@romanblanco @martinpovolny @miq-bot @simaishi @PanSpagetka