Ensure that base_class of first target is used for RBAC scope
#16178
Conversation
spec/lib/rbac/filterer_spec.rb
Outdated
| results = described_class.search(:targets => targets, :user => user) | ||
| objects = results.first | ||
| expect(objects.length).to eq(4) | ||
| expect(objects).to eq(targets) |
There was a problem hiding this comment.
Ugh, sorry I didn't see this when we were writing it. Are these guaranteed to be in the same order? Maybe we should use contain_exactly or it's similar form match_array
gtanzillo
force-pushed
the
rbac-sti-base-class
branch
from
257e1a0 to
80bbc59
Compare
|
@jrafanie I made the change to use |
| @@ -279,6 +280,10 @@ def search(options = {}) | |||
| return targets, attrs | |||
| end | |||
|
|
|||
| def is_sti?(klass) | |||
| klass.respond_to?(:finder_needs_type_condition?) ? klass.finder_needs_type_condition? : false | |||
There was a problem hiding this comment.
I am just thinking if it is covered also behaviour when you will pass objects with resource_type column like
[MetricRollup.first,
VmPerformance.first]because as
ManageIQ::Providers::Redhat::InfraManager.finder_needs_type_condition? => true is true
the
VmPerformance.finder_needs_type_condition? => false is not true
There was a problem hiding this comment.
Thanks @lpichler. Let me make a test for that case and see.
There was a problem hiding this comment.
@gtanzillo what did you find? Is this a test case we need to worry about?
There was a problem hiding this comment.
@jrafanie, I discussed it with @yrudman and we added 2 more tests for this case. It turned out to be the same case that @lpichler previously did for MiqAeDomain.
Like we discussed yesterday, the case where multiple classes are represented in targets, like [MetricRollup, Vmperformance], and they are not STI would not be supported.
gtanzillo
force-pushed
the
rbac-sti-base-class
branch
from
80bbc59 to
7cda928
Compare
spec/lib/rbac/filterer_spec.rb
Outdated
| User.with_user(admin_user) do | ||
| results = described_class.search(:targets => [miq_ae_domain]).first | ||
| expect(results.first).to be_an_instance_of(MiqAeDomain) | ||
| expect(results).to match_array [miq_ae_domain] | ||
| end | ||
| end | ||
|
|
||
| it 'returns the same class as input for parents clast that is not STI' do |
| end | ||
| end | ||
|
|
||
| it 'returns the same class as input for subclass that is not STI' do |
There was a problem hiding this comment.
^ what does that mean? Is it returning a base class or subclass?
There was a problem hiding this comment.
It's returning the subclass. But, the point is that it's returning the same class that was passed to targets.
spec/lib/rbac/filterer_spec.rb
Outdated
| @@ -830,6 +870,18 @@ def get_rbac_results_for_and_expect_objects(klass, expected_objects) | |||
| expect(objects).to eq(targets) | |||
| end | |||
|
|
|||
| it "returns the correct results when targets are of different types" do | |||
There was a problem hiding this comment.
maybe this should be "returns the correct class for different classes of targets"
gtanzillo
force-pushed
the
rbac-sti-base-class
branch
2 times, most recently
from
4d9aaa0 to
3896845
Compare
When targets are passed and the instances are of different subclasses through STI, the base class needs to be used for building the scope to prevent ActiveRecord from also scoping to the subclass and limiting the results to only instances of that class. https://bugzilla.redhat.com/show_bug.cgi?id=1480812 https://bugzilla.redhat.com/show_bug.cgi?id=1467756
gtanzillo
force-pushed
the
rbac-sti-base-class
branch
from
3896845 to
cb3cb72
Compare
|
Checked commit gtanzillo@cb3cb72 with ruby 2.3.3, rubocop 0.47.1, and haml-lint 0.20.0 lib/rbac/filterer.rb
|
Ensure that `base_class` of first target is used for RBAC scope (cherry picked from commit b02bfce) https://bugzilla.redhat.com/show_bug.cgi?id=1511135 https://bugzilla.redhat.com/show_bug.cgi?id=1511130
|
Fine backport details: |
Ensure that `base_class` of first target is used for RBAC scope (cherry picked from commit b02bfce) https://bugzilla.redhat.com/show_bug.cgi?id=1511135 https://bugzilla.redhat.com/show_bug.cgi?id=1511130
When targets are passed and the instances are of different subclasses through STI, the base class needs to be used for building the scope to prevent ActiveRecord from also scoping to the subclass and limiting the results to only instances of that class.
For example - lets say that targets were passed in as instances of these classes that derive from
ExtManagementSystemWithout this change RBAC would only return the targets of the first class
ManageIQ::Providers::Redhat::InfraManagerin the resultshttps://bugzilla.redhat.com/show_bug.cgi?id=1480812
https://bugzilla.redhat.com/show_bug.cgi?id=1467756
/cc @jrafanie, @yrudman