Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not change current_group for super admin user when executing Rbac#lookup_user_group #17347

Merged
merged 3 commits into from
May 1, 2018
Merged

Do not change current_group for super admin user when executing Rbac#lookup_user_group #17347

merged 3 commits into from
May 1, 2018

Conversation

yrudman
Copy link
Contributor

@yrudman yrudman commented Apr 26, 2018
edited
Loading

Changing user.current_user for superadmin and assigning group this admin does not belong-to may trigger not expected errors,
like below error raised for super admin in attempt to generate widget's content:

F, [2018-04-19T16:56:28.867955 #11598] FATAL -- : Error caught: [MiqException::RbacPrivilegeException] The user is not authorized for this task or item.
/Users/yrudman/work/rh/manageiq-ui-classic/app/controllers/application_controller.rb:2124:in `assert_privileges'
/Users/yrudman/work/rh/manageiq-ui-classic/app/controllers/report_controller/widgets.rb:36:in `widget_refresh'
/Users/yrudman/work/rh/manageiq-ui-classic/app/controllers/report_controller/widgets.rb:148:in `widget_generate_content'
/Users/yrudman/work/rh/manageiq-ui-classic/app/controllers/application_controller/explorer.rb:201:in `generic_x_button'
/Users/yrudman/work/rh/manageiq-ui-classic/app/controllers/report_controller.rb:62:in `x_button'

caused by: 55a6a33

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1564986

@miq-bot add-label bug, core, rbac

@yrudman
do not change current_group for super admin user when executing Rbac#…
d7a37e8 
…lookup_user_group

Example when updating user.current_group in group's look-up is bad: if widget set-up for different group than during content generation (triggered manually from UI) the last group will become current group for super user and this may throw unexpectd errors ( like failing ApplicationController.assert_privileges(widget_refresh)
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1564986
@mfeifer
Copy link
Contributor

mfeifer commented Apr 26, 2018

@yrudman should this still be WIP? just double checking.

@yrudman yrudman force-pushed the do-not-changed-user-current-group-when-do-rback-search branch from 1baf52a to 911af7e Compare April 26, 2018 16:54
@yrudman yrudman changed the title [WIP]Do not change current_group for super admin user when executing Rbac#lookup_user_group Do not change current_group for super admin user when executing Rbac#lookup_user_group Apr 26, 2018
@miq-bot miq-bot removed the wip label Apr 26, 2018
@yrudman
Copy link
Contributor Author

yrudman commented Apr 26, 2018

@gtanzillo It looks strange when we change current_group for user during group look-up. It was tempting to remove it for all users too (if there is need to change current_group than it should be done explicitly and not hidden in Rbac's search). However, it was there for some time, and something else can become broken....

@yrudman yrudman closed this Apr 26, 2018
@yrudman yrudman reopened this Apr 26, 2018
@JPrause
Copy link
Member

JPrause commented Apr 26, 2018

@miq-bot add_label blocker

@JPrause
Copy link
Member

JPrause commented Apr 26, 2018

@yrudman if this can be backported, can you add the gaprindashvili/yes and fine/yes labels.

@yrudman
Copy link
Contributor Author

yrudman commented Apr 27, 2018

@kbrock @lpichler could you review

bdunne
bdunne reviewed Apr 30, 2018
View reviewed changes
lib/rbac/filterer.rb Outdated
@@ -573,16 +573,18 @@ def lookup_user_group(user, userid, miq_group, miq_group_id)
miq_group_id ||= miq_group.try!(:id)
return [user, user.current_group] if user && user.current_group_id.to_s == miq_group_id.to_s

found_group = user.try(:current_group)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this line needed?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it belongs in the missing else before line 583 instead? Then it can be found_group = if... and drop all of the variable setting below.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bdunne 👍 it looks much cleaner

@miq-bot
Copy link
Member

miq-bot commented May 1, 2018

Checked commits yrudman/manageiq@d7a37e8~...c798fc5 with ruby 2.3.3, rubocop 0.52.1, haml-lint 0.20.0, and yamllint 1.10.0
2 files checked, 0 offenses detected
Everything looks fine. ⭐

@bdunne bdunne merged commit 2d81fce into ManageIQ:master May 1, 2018
@bdunne bdunne self-assigned this May 1, 2018
@bdunne bdunne added this to the Sprint 85 Ending May 7, 2018 milestone May 1, 2018
@yrudman yrudman deleted the do-not-changed-user-current-group-when-do-rback-search branch May 1, 2018 14:21
simaishi pushed a commit that referenced this pull request May 1, 2018
@bdunne @simaishi
Merge pull request #17347 from yrudman/do-not-changed-user-current-gr…
35dc609 
…oup-when-do-rback-search

Do not change current_group for super admin user when executing Rbac#lookup_user_group
(cherry picked from commit 2d81fce)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1573539
@simaishi
Copy link
Contributor

simaishi commented May 1, 2018

Gaprindashvili backport details:

$ git log -1
commit 35dc609e78a6d7e57e6903a159e72f1ddc180266
Author: Brandon Dunne <brandondunne@hotmail.com>
Date:   Tue May 1 09:38:12 2018 -0400

    Merge pull request #17347 from yrudman/do-not-changed-user-current-group-when-do-rback-search
    
    Do not change current_group for super admin user when executing Rbac#lookup_user_group
    (cherry picked from commit 2d81fcec137de378fbbb377e52f6fcea1baa7124)
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1573539

simaishi pushed a commit that referenced this pull request May 1, 2018
@bdunne @simaishi
Merge pull request #17347 from yrudman/do-not-changed-user-current-gr…
a826134 
…oup-when-do-rback-search

Do not change current_group for super admin user when executing Rbac#lookup_user_group
(cherry picked from commit 2d81fce)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1573540
@simaishi
Copy link
Contributor

simaishi commented May 1, 2018

Fine backport details:

$ git log -1
commit a826134c7e9e9cbacbf532c0856ef512f4c141fd
Author: Brandon Dunne <brandondunne@hotmail.com>
Date:   Tue May 1 09:38:12 2018 -0400

    Merge pull request #17347 from yrudman/do-not-changed-user-current-group-when-do-rback-search
    
    Do not change current_group for super admin user when executing Rbac#lookup_user_group
    (cherry picked from commit 2d81fcec137de378fbbb377e52f6fcea1baa7124)
    
    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1573540

d-m-u pushed a commit to d-m-u/manageiq that referenced this pull request Jun 6, 2018
@bdunne @d-m-u
Merge pull request ManageIQ#17347 from yrudman/do-not-changed-user-cu…
e6b7894 
…rrent-group-when-do-rback-search

Do not change current_group for super admin user when executing Rbac#lookup_user_group
(cherry picked from commit 2d81fce)

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1573540
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdunne bdunne bdunne left review comments

Assignees

@bdunne bdunne

Labels
blocker bug core/rbac core fine/backported gaprindashvili/backported
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@yrudman @mfeifer @JPrause @miq-bot @simaishi @bdunne