-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ownership for MiqRequest in RBAC #17208
Merged
gtanzillo
merged 6 commits into
ManageIQ:master
from
lpichler:restrict_miq_request_by_users_group
Mar 28, 2018
Merged
Add ownership for MiqRequest in RBAC #17208
gtanzillo
merged 6 commits into
ManageIQ:master
from
lpichler:restrict_miq_request_by_users_group
Mar 28, 2018
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lpichler
force-pushed
the
restrict_miq_request_by_users_group
branch
from
March 27, 2018 15:55
2f8885a
to
8918547
Compare
Checked commit lpichler@8918547 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
from get_self_service_objects to self_service_ownership_scope
¬(A∨B∨C)=¬A∧¬B∧¬C return nil if miq_group.nil? || !miq_group.self_service? || !(klass < OwnershipMixin) to return unless !(miq_group.nil? || !miq_group.self_service? || !(klass < OwnershipMixin)) to return unless !miq_group.nil? && !!miq_group.self_service? && !!(klass < OwnershipMixin) to return unless miq_group.present? && miq_group.self_service? && klass < OwnershipMixin to(add to method) return nil unless self_service_ownership_scope?(miq_group, klass)
lpichler
force-pushed
the
restrict_miq_request_by_users_group
branch
from
March 28, 2018 12:28
8918547
to
97324fc
Compare
lpichler
changed the title
[WIP] Restrict MiqRequest by user's group
Add ownership for MiqRequest in RBAC
Mar 28, 2018
gtanzillo
approved these changes
Mar 28, 2018
@lpichler @gtanzillo Can this be |
simaishi
pushed a commit
that referenced
this pull request
Apr 2, 2018
…_group Add ownership for MiqRequest in RBAC (cherry picked from commit 0969759) https://bugzilla.redhat.com/show_bug.cgi?id=1562777
Gaprindashvili backport details:
|
@simaishi No, there are conflicts, I will create a FINE PR. |
lpichler
pushed a commit
to lpichler/manageiq
that referenced
this pull request
Apr 3, 2018
…by_users_group Add ownership for MiqRequest in RBAC
Backported to Fine via #17245 |
yrudman
added a commit
to yrudman/manageiq
that referenced
this pull request
May 23, 2018
…tAsTaggable concern. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129
d-m-u
pushed a commit
to d-m-u/manageiq
that referenced
this pull request
Jun 6, 2018
…by_users_group Add ownership for MiqRequest in RBAC
jrafanie
added a commit
to jrafanie/manageiq
that referenced
this pull request
Jun 29, 2018
MiqRequest was changed to allow ownership for self service and limited self-service users in ManageIQ ManageIQ#17208, BZ: 1545395 This caused a problem if you had tag filters assign to a user's group undefined method `find_tags_by_grouping'. This was fixed in ManageIQ ManageIQ#17466, BZ: 1576129, and shipped with: Fine: https://bugzilla.redhat.com/show_bug.cgi?id=1583711 Gaprindindashvili: https://bugzilla.redhat.com/show_bug.cgi?id=1583710 Unfortunately, this second fix to add taggable caused a new bug: users in groups having tag filters could not see their own requests. This commit changes MiqRequest to no longer be taggable, since it's not even taggable in the UI and instead, we add MiqRequest to a list of models that are RBAC'able but not taggable so we don't try to filter MiqRequest based on a user's group tag filters. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. For gaprindashvili and fine: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738 For hammer: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129
jrafanie
added a commit
to jrafanie/manageiq
that referenced
this pull request
Jun 29, 2018
MiqRequest was changed to allow ownership for self service and limited self-service users in ManageIQ ManageIQ#17208, BZ #1545395 This caused a problem if you had tag filters assign to a user's group undefined method `find_tags_by_grouping'. This was fixed in ManageIQ ManageIQ#17466, BZ #1576129, and shipped with: Fine: BZ #1583711 Gaprindindashvili: BZ #1583710 Unfortunately, this second fix to add taggable caused a new bug: users in groups having tag filters could not see their own requests. This commit changes MiqRequest to no longer be taggable, since it's not even taggable in the UI and instead, we add MiqRequest to a list of models that are RBAC'able but not taggable so we don't try to filter MiqRequest based on a user's group tag filters. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. For gaprindashvili and fine: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738 For hammer: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129
jrafanie
added a commit
to jrafanie/manageiq
that referenced
this pull request
Jun 29, 2018
MiqRequest was changed to allow ownership for self service and limited self-service users in ManageIQ ManageIQ#17208, BZ #1545395 This caused a problem if you had tag filters assign to a user's group undefined method `find_tags_by_grouping'. This was fixed in ManageIQ ManageIQ#17466, BZ #1576129, and shipped with: Fine: BZ #1583711 Gaprindindashvili: BZ #1583710 Unfortunately, this second fix to add taggable caused a new bug: users in groups having tag filters could not see their own requests. This commit changes MiqRequest to no longer be taggable, since it's not even taggable in the UI and instead, we add MiqRequest to a list of models that are RBAC'able but not taggable so we don't try to filter MiqRequest based on a user's group tag filters. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. To test this, simply assign managed filters to a user's group, such as /managed/environments/production, create a request for that user and try to see that user's request. They couldn't see it if they received the intermediate fix, ManageIQ#17466, or if they didn't receive that fix, they'd receive the `find_tags_by_grouping` error shown above. For gaprindashvili and fine: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738 For hammer: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129
jrafanie
added a commit
to jrafanie/manageiq
that referenced
this pull request
Jun 29, 2018
MiqRequest was changed to allow ownership for self service and limited self-service users in ManageIQ ManageIQ#17208, BZ #1545395 This caused a problem if you had tag filters assign to a user's group undefined method `find_tags_by_grouping'. This was fixed in ManageIQ ManageIQ#17466, BZ #1576129, and shipped with: Fine: BZ #1583711 Gaprindindashvili: BZ #1583710 Unfortunately, this second fix to add taggable caused a new bug: users in groups having tag filters could not see their own requests. This commit changes MiqRequest to no longer be taggable, since it's not even taggable in the UI and instead, we add MiqRequest to a list of models that are RBAC'able but not taggable so we don't try to filter MiqRequest based on a user's group tag filters. Credit goes to github user LorkScorguar who reported this issue and provided lots of diagnostics to help us fix this properly. To test this, simply assign managed filters to a user's group, such as /managed/environments/production, create a request for that user and try to see that user's request. They couldn't see it if they received the intermediate fix, ManageIQ#17466, or if they didn't receive that fix, they'd receive the `find_tags_by_grouping` error shown above. For gaprindashvili and fine: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1596738 For hammer: Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1576129
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Self service and limited self service users will see only his or his group's users miq_requests after this fix.
For ownership of MiqRequests to users we are using
requester_id
.Links
https://bugzilla.redhat.com/show_bug.cgi?id=1545395
@miq-bot assign @gtanzillo