Merge pull request #3341 from lpichler/block_storage_discrepancies

Use correct role feature check for block|object storage summary page (cherry picked from commit a2d7a8e) https://bugzilla.redhat.com/show_bug.cgi?id=1552821
ManageIQ · Mar 22, 2018 · 03c5430 · 03c5430
1 parent 3c7fbf8
commit 03c5430
Show file tree

Hide file tree

Showing 3 changed files with 64 additions and 3 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -1249,8 +1249,7 @@ def check_generic_rbac
     end
   end
 
-  def handle_generic_rbac
-    pass = check_generic_rbac
+  def handle_generic_rbac(pass)
     unless pass
       if request.xml_http_request?
         javascript_redirect :controller => 'dashboard', :action => 'auth_error'
@@ -1271,7 +1270,7 @@ def check_privileges
 
     return if action_name == 'auth_error'
 
-    pass = %w(button x_button).include?(action_name) ? handle_button_rbac : handle_generic_rbac
+    pass = %w(button x_button).include?(action_name) ? handle_button_rbac : handle_generic_rbac(check_generic_rbac)
     $audit_log.failure("Username [#{current_userid}], Role ID [#{current_user.miq_user_role.try(:id)}] attempted to access area [#{controller_name}], type [Action], task [#{action_name}]") unless pass
   end
 

diff --git a/app/controllers/ems_storage_controller.rb b/app/controllers/ems_storage_controller.rb
@@ -31,6 +31,37 @@ def ems_storage_form_fields
     ems_form_fields
   end
 
+  TYPE_CHECK_SHOW_IDENTIFIERS = %w(ems_storage_show).freeze
+
+  def check_generic_rbac
+    ident = "#{controller_name}_#{action_name == 'report_data' ? 'show_list' : action_name}"
+    return true if TYPE_CHECK_SHOW_IDENTIFIERS.include?(ident)
+
+    super
+  end
+
+  def type_feature_role_check
+    return true unless TYPE_CHECK_SHOW_IDENTIFIERS.include?("#{controller_name}_#{action_name}") && respond_to?(:feature_role)
+
+    handle_generic_rbac(role_allows?(:feature => feature_role(@record)))
+  end
+
+  def init_show(model_class = self.class.model)
+    @record = identify_record(params[:id], model_class)
+
+    return true unless type_feature_role_check
+
+    super
+  end
+
+  def feature_role(record)
+    if record.supports_object_storage?
+      'ems_object_storage_show'
+    elsif record.supports_block_storage?
+      'ems_block_storage_show'
+    end
+  end
+
   menu_section :sto
   has_custom_buttons
 end
diff --git a/spec/controllers/ems_storage_controller_spec.rb b/spec/controllers/ems_storage_controller_spec.rb
@@ -2,4 +2,35 @@
   include_examples :shared_examples_for_ems_storage_controller, %w(openstack)
 
   it_behaves_like "controller with custom buttons"
+
+  describe "#check_generic_rbac" do
+    let(:feature)        { MiqProductFeature.find_all_by_identifier(%w(ems_block_storage_show ems_block_storage_show_list)) }
+    let(:role)           { FactoryGirl.create(:miq_user_role, :miq_product_features => feature) }
+    let(:group)          { FactoryGirl.create(:miq_group, :miq_user_role => role) }
+    let(:user)           { FactoryGirl.create(:user, :miq_groups => [group]) }
+    let(:object_storage) { FactoryGirl.create(:ems_swift) }
+    let(:block_storage)  { FactoryGirl.create(:ems_cinder) }
+
+    before(:each) do
+      EvmSpecHelper.create_guid_miq_server_zone
+      EvmSpecHelper.seed_specific_product_features(%w(ems_block_storage_show ems_block_storage_show_list))
+
+      allow(User).to receive(:current_user).and_return(user)
+      allow(Rbac).to receive(:role_allows?).and_call_original
+      login_as user
+    end
+
+    it "allows access for block_storage" do
+      controller.action_name = 'show'
+      controller.instance_variable_set(:@record, block_storage)
+      expect(controller.send(:type_feature_role_check)).to be_truthy
+    end
+
+    it "denies access for object_storage" do
+      controller.action_name = 'show'
+      allow(controller).to receive(:redirect_to)
+      controller.instance_variable_set(:@record, object_storage)
+      expect(controller.send(:type_feature_role_check)).to be_falsey
+    end
+  end
 end