-
Notifications
You must be signed in to change notification settings - Fork 897
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add tenant filtering for templates in provisioning and summary pages #17851
Add tenant filtering for templates in provisioning and summary pages #17851
Conversation
app/models/miq_template.rb
Outdated
@@ -36,6 +36,19 @@ def self.without_volume_templates | |||
"ManageIQ::Providers::Openstack::CloudManager::VolumeSnapshotTemplate"]) | |||
end | |||
|
|||
def self.applied_filtering | |||
tenant = User.current_user.current_group.tenant | |||
if tenant.source_id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
@alexander-demichev isn't logic described in description covered by #17058 ? If not, it should be added in RBAC call (like you did in #17058 ) or in some mixin. I think that when what to list templates (maybe some special type) we want to get same result, independently where we call it, especially when it depends on user. Also I noticed that you are not asking for admin user you stated in description. (or is it accomplished by source_id condition ? )
so we need to get in to RBAC call:
and then we need to spec as well. if you have any other questions, let me know ! thanks! |
e3f88b0
to
0f70bd0
Compare
@lpichler I added new tests, can you review PR? :) |
0f70bd0
to
f4e65e2
Compare
@lpichler Hi, can I get a review? |
spec/lib/rbac/filterer_spec.rb
Outdated
it "returns all public cloud templates" do | ||
it "finds tenant's private cloud templates" do | ||
User.current_user = user_2 | ||
tenant_2.source_id = 1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why there is hardcoded value 1 ? Isn't possible to establish relation ?
spec/lib/rbac/filterer_spec.rb
Outdated
let(:group_2) { FactoryGirl.create(:miq_group, :tenant => tenant_2) } # T1 | ||
let(:user_2) { FactoryGirl.create(:user, :miq_groups => [group_2]) } | ||
|
||
context "when tenant doesn't have source_id" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you add something like when tenant is not mapped ? + on other places
spec/lib/rbac/filterer_spec.rb
Outdated
expect(results).to match_array([cloud_template, cloud_template_root]) | ||
end | ||
|
||
context "should ignore" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please write reason why it should ignore instead of, is it because of publicly_available => false ?
spec/lib/rbac/filterer_spec.rb
Outdated
|
||
context "should ignore" do | ||
let!(:cloud_template) { FactoryGirl.create(:template_cloud, :tenant => tenant_3, :publicly_available => false) } | ||
it "private cloud templates" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
always it "verb something" like "returns .." as you have it on other places
spec/lib/rbac/filterer_spec.rb
Outdated
expect(results).to match_array([cloud_template_2, cloud_template_3]) | ||
end | ||
|
||
let(:cloud_template_5) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => true) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it have to be evaluated before RBAC is called. And can you put it together after line context "when tenant has source_id "
let!(:cloud_template_2) { FactoryGirl.create(:template_cloud, :tenant => tenant_2, :publicly_available => false) }
let!(:cloud_template_3) { FactoryGirl.create(:template_cloud, :tenant => tenant_2, :publicly_available => true) }
let!(:cloud_template_4) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => false) }
let!(:cloud_template_5) { FactoryGirl.create(:template_cloud, :tenant => default_tenant, :publicly_available => true) }
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
with this, it is failing for me, so you probably need more changes here, but now you it should cause sporadic failures.
thanks
@miq-bot add_label blocker |
@alexander-demichev if this can be backported, can you add the gaprindashvili/yes and the hammer/yes labels |
f4e65e2
to
f0d226d
Compare
@lpichler I refactored tests, is ok now? I tried to play with let!, but seems that the only way to make tests work is to create factories right in |
f0d226d
to
280fd75
Compare
Checked commit alexander-demicev@280fd75 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
@miq-bot assign @gtanzillo |
@gtanzillo hi, can you merge/review? |
@@ -124,9 +124,13 @@ def self.display_name(number = 1) | |||
|
|||
def self.tenant_id_clause(user_or_group) | |||
template_tenant_ids = MiqTemplate.accessible_tenant_ids(user_or_group, Rbac.accessible_tenant_ids_strategy(self)) | |||
return if template_tenant_ids.empty? | |||
tenant = User.current_user.current_group.tenant |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be simplified to User.current_user.current_tenant
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, should this be looking at user_or_group
that is passed in instead of User.current_user
?
280fd75
to
560a98c
Compare
@gtanzillo is this ready to merge? |
@miq-bot add_label gaprindashvili/yes |
@miq-bot add_label hammer/yes |
Add tenant filtering for templates in provisioning and summary pages (cherry picked from commit 142a184) https://bugzilla.redhat.com/show_bug.cgi?id=1524368
Hammer backport details:
|
Add tenant filtering for templates in provisioning and summary pages (cherry picked from commit 142a184) https://bugzilla.redhat.com/show_bug.cgi?id=1623561
Gaprindashvili backport details:
|
oops... wrong BZ in the git commit msg for G backport... The correct one is: https://bugzilla.redhat.com/show_bug.cgi?id=1598520 |
This PR adds tenant filtering for templates in provisioning and summary pages.
I added new condition which finds all templates in case if user is admin, in case if user in not admin only private images that belong to user's tenant and public images should be shown.
https://bugzilla.redhat.com/show_bug.cgi?id=1524368
https://bugzilla.redhat.com/show_bug.cgi?id=1598520
https://bugzilla.redhat.com/show_bug.cgi?id=1546539
@aufi