Dont show system session for user #1917
Conversation
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
b3dcf68 to
54f83f0
Compare
test/check-machines-create
Outdated
| b.click("#create-new-vm") | ||
| b.wait_visible("#create-vm-dialog") | ||
| b.wait_not_present("#connection") |
There was a problem hiding this comment.
Do we have any other test which covers VM creation in unprivileged mode? If so, this would better fit there. If not, that's a major gap indeed, and this test should actually create the VM and check that it starts and boots fine (including the "wait for login prompt").
There was a problem hiding this comment.
I believe this is confusingly what TestMachinesLifecycle does:
def _testBasic(self, user=None, superuser=True, expect_empty_list=False, run_pixel_tests=False):
b = self.browser
m = self.machine
# We want no initial watchdog
args = self.createVm("subVmTest1", os="linux2016")
self.login_and_go("/machines", user=user, superuser=superuser)
So we can drop this test
| @@ -1331,12 +1332,13 @@ class CreateVmModal extends React.Component { | |||
|
|
|||
| const detailsTab = ( | |||
| <> | |||
| {superuser.allowed && | |||
There was a problem hiding this comment.
Hmm, I think people can create polkit rules to allow non-priv users access to the "system" connection. In fact cockpit-machines always connects to both "system" and "session" on initialization and tolerates AccessDenied errors for non-priv users.
So I think we should make a new global flag that says "can't access system connection", and use that instead of superuser.allowed in this PR. The place to set that flag is app.jsx:94, I guess.
There was a problem hiding this comment.
Polkit is a disaster if you ask me, we have no way to detect it. But plumbing the state through should work. But looking at our code this is all a bit confusing I guess we look at systemSocketInactive?
There was a problem hiding this comment.
This turns into a yakshave...
} else if ((superuser.allowed && systemSocketInactive) || loadingResources) {
So seems my solution is "correct" :) But ofcourse we can rework this.
There was a problem hiding this comment.
Or not, not sure why this even exists.
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
54f83f0 to
3a96bad
Compare
A limited access user cannot create a system session virtual machine so this would just throw an error after creation.
jelly
force-pushed
the
dont-show-system-session-for-user
branch
from
3a96bad to
09ec08f
Compare
| @@ -1059,7 +1059,7 @@ class CreateVmModal extends React.Component { | |||
| validate: false, | |||
| vmName: '', | |||
| suggestedVmName: '', | |||
| connectionName: LIBVIRT_SYSTEM_CONNECTION, | |||
| connectionName: this.props.systemSocketAvailable ? LIBVIRT_SYSTEM_CONNECTION : LIBVIRT_SESSION_CONNECTION, | |||
There was a problem hiding this comment.
This added line is not executed by any test.
This throws an error when trying to create a system session vm as limited user.