Ensure a users own tasks are the only ones returned when the users role has View/My Tasks #526
Conversation
|
@miq-bot add_label bug |
|
@miq-bot assign @abellotti |
|
@miq-bot add_label hammer/yes |
|
@bdunne Please take a look if you can. |
| @@ -1,4 +1,17 @@ | |||
| module Api | |||
| class TasksController < BaseController | |||
| def find_collection(klass) | |||
| return klass.all if current_user.role_allows?(:identifier => "miq_task_all_ui") | |||
There was a problem hiding this comment.
I'm not too familiar with how the product features stuff works, but isn't this already checked somewhere?
There was a problem hiding this comment.
Thank you for the feedback @bdunne. What is checked now is if there is a role that allows access to Tasks. There are 2 product features that allow access to Tasks, miq_task_all_ui and miq_task_my_ui. The current logic allows access to all tasks if either of these product features is set on the role associated with the group assigned to the user. The result being that even if only miq_task_my_ui product feature is set the API returns all tasks. The code changes introduced this PR adds logic to only access the tasks owned by the current user when only miq_task_my_ui product features is set.
spec/requests/tasks_spec.rb
Outdated
| it 'deletes on DELETE' do | ||
| def expect_not_deleted(*args) | ||
| args.each do |arg| | ||
| expect(MiqTask.find_by(:id => arg.id)).not_to be_nil |
There was a problem hiding this comment.
You could do something like this to remove the enumeration and extra database queries
expect(MiqTask.where(:id => args.collect(&:id)).length).to eq(args.length)There was a problem hiding this comment.
👍 I like it. Thank you! Will do.
|
@jvlcek At first glance, this seems to blur the lines of the two sides of our RBAC implementation -
This PR is attempting to limit what a user can see based on product features and not filtering. Looking at the BZ, I can understand this approach. I need to give it some thought to see if there is another way to handle this case. It seems very similar to the Access Restriction for Services, VMs, and Templates options in user roles where an admin can restrict users to |
|
@jvlcek After doing a little more research I think your approach is ok. The UI does a similar thing, indirectly. They are looking at the same product features to determine which tabs a user will see here This follows the "what a use can do" part of RBAC. But the filtering is done by virtue of the tab the user gets based on his role. The API does not have this luxury. We do something similar to you approach with report results here. But instead of hard coding the product feature, it's added to a method in I think we should follow that pattern |
|
@gtanzillo Thank you! Stay tuned while I try out that approach. |
jvlcek
force-pushed
the
bz_1639387_my_tasks
branch
from
683e17f
to
0986934
Compare
|
@miq-bot assign @gtanzillo |
|
This PR now has a companion PR which needs to be merged before this PR, ManageIQ/manageiq#18311 |
|
The continuous integration tests will fail until companion PR, ManageIQ/manageiq#18311, is merged. |
|
This pull request is not mergeable. Please rebase and repush. |
jvlcek
force-pushed
the
bz_1639387_my_tasks
branch
from
999408f
to
6f868b9
Compare
jvlcek
force-pushed
the
bz_1639387_my_tasks
branch
from
6f868b9
to
905f429
Compare
|
Checked commits jvlcek/manageiq-api@905f429~...fed0506 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0 |
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387
A role can be configured to view all tasks or only my tasks. When a user is assigned to
a role that is configured to view only "My Tasks" The API would incorrectly returning all
tasks for all users.
And when querying a single task by ID would return the task even if not owned by the
current user.
This PR corrects this erroneous condition by adding two new methods to the
base_controller/renderer.rb #find_resource and #find_collection. Each of these
two new methods is overridden in the task_controller.rb where logic is adding to
correctly handle this condition.
To test assign a group to a user where the group has a role configured with
View / My Tasks and without View / All Tasks
Then exercise the API for this user to query the task collection ensuring only tasks
owned by the specified user are returned:
e.g.:
curl -k "https://:@/api/tasks/"
This should only return tasks owned by the specified user and should match what the UI
shows when that specified user is logged in and lists their tasks.
and queries for individual task do not return tasks owned by another user.
e.g.:
curl -k "https://:@/api/tasks/"
This should only return the task if it is owned by the specified user