From ec15bb0a4b4f4f28a72b8ccd053d7cf6b2b8cabc Mon Sep 17 00:00:00 2001 From: Gregg Tanzillo Date: Thu, 8 Nov 2018 15:15:47 -0500 Subject: [PATCH] Authorize user with non-dynamic product feature if included in user's role - This was a bug in the logic in https://github.com/ManageIQ/manageiq/pull/18102 - This fixes test failures in the API repo --- app/models/miq_product_feature.rb | 2 +- lib/rbac/authorizer.rb | 4 +++- spec/models/miq_user_role_spec.rb | 19 +++++++++++++++---- 3 files changed, 19 insertions(+), 6 deletions(-) diff --git a/app/models/miq_product_feature.rb b/app/models/miq_product_feature.rb index 92e0e01c4f2..664467b65b6 100644 --- a/app/models/miq_product_feature.rb +++ b/app/models/miq_product_feature.rb @@ -52,7 +52,7 @@ def self.root_tenant_identifier?(identifier) end def self.current_tenant_identifier(identifier) - identifier && feature_details(identifier) && root_tenant_identifier?(identifier) ? tenant_identifier(identifier, User.current_tenant.id) : identifier + tenant_identifier(identifier, User.current_tenant.id) if identifier && feature_details(identifier) && root_tenant_identifier?(identifier) end def self.feature_yaml(path = FIXTURE_PATH) diff --git a/lib/rbac/authorizer.rb b/lib/rbac/authorizer.rb index 06c8950175f..757f7c514d8 100644 --- a/lib/rbac/authorizer.rb +++ b/lib/rbac/authorizer.rb @@ -22,10 +22,12 @@ def role_allows?(options = {}) any = options[:any] - identifier = MiqProductFeature.current_tenant_identifier(identifier) + tenant_identifier = MiqProductFeature.current_tenant_identifier(identifier) auth = if any.present? user_role_allows_any?(user, :identifiers => (identifiers || [identifier])) + elsif tenant_identifier + [identifier, tenant_identifier].any? { |i| user_role_allows?(user, :identifier => i) } else user_role_allows?(user, :identifier => identifier) end diff --git a/spec/models/miq_user_role_spec.rb b/spec/models/miq_user_role_spec.rb index 440462e3f5c..2731851a2b7 100644 --- a/spec/models/miq_user_role_spec.rb +++ b/spec/models/miq_user_role_spec.rb @@ -81,26 +81,37 @@ let!(:tenant_1) { FactoryGirl.create(:tenant, :parent => root_tenant) } let!(:tenant_2) { FactoryGirl.create(:tenant, :parent => root_tenant) } - let(:feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor_tenant_#{tenant_2.id}", "rbac_tenant_manage_quotas_tenant_#{tenant_2.id}"]) } - let(:role) { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) } + let(:feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor_tenant_#{tenant_2.id}", "rbac_tenant_manage_quotas_tenant_#{tenant_2.id}"]) } + let(:non_dynamic_feature) { MiqProductFeature.find_all_by_identifier(["dialog_edit_editor", "rbac_tenant_manage_quotas"]) } + let(:role) { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) } + let(:role_no_dynamic) { FactoryGirl.create(:miq_user_role, :miq_product_features => non_dynamic_feature) } let(:group_tenant_1) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_1) } let(:group_tenant_2) { FactoryGirl.create(:miq_group, :miq_user_role => role, :tenant => tenant_2) } + let(:group_3) { FactoryGirl.create(:miq_group, :miq_user_role => role_no_dynamic, :tenant => tenant_2) } let!(:user_1) { FactoryGirl.create(:user, :userid => "user_1", :miq_groups => [group_tenant_1]) } let!(:user_2) { FactoryGirl.create(:user, :userid => "user_2", :miq_groups => [group_tenant_2]) } + let!(:user_3) { FactoryGirl.create(:user, :userid => "user_3", :miq_groups => [group_3]) } - it "doesn't authorise user without dynamic product feature" do + it "doesn't authorize user without dynamic product feature" do User.with_user(user_1) do expect(user_1.role_allows?(:identifier => "dialog_edit_editor")).to be_falsey expect(user_1.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_falsey end end - it "authorise user with dynamic product feature" do + it "authorize user with dynamic product feature" do User.with_user(user_2) do expect(user_2.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy expect(user_2.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy end end + + it "authorize user with non-dynamic product feature" do + User.with_user(user_3) do + expect(user_3.role_allows?(:identifier => "dialog_edit_editor")).to be_truthy + expect(user_3.role_allows?(:identifier => "rbac_tenant_manage_quotas")).to be_truthy + end + end end it "should return the correct answer calling allows? when requested feature is directly assigned or a descendant of a feature in a role" do