Ensure a users own tasks are the only ones returned when the users role has View/My Tasks #18311
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1639387
This is a companion PR for, and must be merged before, the manageiq-api repo PR:
ManageIQ/manageiq-api#526
A role can be configured to view all tasks or only my tasks. When a user is assigned to
a role that is configured to view only "My Tasks" The API would incorrectly returning all
tasks for all users.
And when querying a single task by ID would return the task even if not owned by the
current user.
This PR corrects this erroneous condition by adding two new methods to the
base_controller/renderer.rb #find_resource and #find_collection. Each of these
two new methods is overridden in the task_controller.rb where logic is adding to
correctly handle this condition.
To test:
Assign a group to a user where the group has a role configured with
View / My Tasks and without View / All Tasks
Then exercise the API for this user to query the task collection ensuring only tasks
owned by the specified user are returned:
e.g.:
curl -k "https://:@/api/tasks/"
This should only return tasks owned by the specified user and should match what the UI
shows when that specified user is logged in and lists their tasks.
and queries for individual task do not return tasks owned by another user.
e.g.:
curl -k "https://:@/api/tasks/"
This should only return the task if it is owned by the specified user