Fix server error and prohibit team org member assignment #412
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AlanCoding
force-pushed
the
team_team_ouch
branch
from
a10609c
to
4a11fd4
Compare
relrod
approved these changes
May 29, 2024
AlanCoding
force-pushed
the
team_team_ouch
branch
from
4a11fd4
to
106607f
Compare
|
thedoubl3j
pushed a commit
to thedoubl3j/django-ansible-base
that referenced
this pull request
Jun 18, 2024
This prohibits (by default, at least) teams from being given the
organization member permission. This is a little more gory than the
other checks, which are generalized to a fault. But this relies on the
existence of the Organization "member" permission, which DAB RBAC was
reluctant to give any first-class treatment for up until now. So that's
why it didn't happen before, and why the condition sucks a little bit.
The server error is from the "tracked_relationship" thing, which I am
trying to delete as soon as I am able to. But for now, it was erroring
when it tried to synchronize team role assignments to the organization
users list. That's not a thing. Organization members are a collection of
only the User type.
fixes:
```
TypeError: attribute name must be string, not 'NoneType'
2024-05-21 19:38:39,061 ERROR django.request Internal Server Error: /api/v1/role_team_assignments/
Traceback (most recent call last):
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
return view_func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/viewsets.py", line 124, in view
return self.dispatch(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/views.py", line 509, in dispatch
response = self.handle_exception(exc)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/views.py", line 469, in handle_exception
self.raise_uncaught_exception(exc)
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
raise exc
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/views.py", line 506, in dispatch
response = handler(request, *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/mixins.py", line 19, in create
self.perform_create(serializer)
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/rbac/api/views.py", line 69, in perform_create
return super().perform_create(serializer)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/mixins.py", line 24, in perform_create
serializer.save()
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/lib/serializers/validation.py", line 26, in save
return super().save(**kwargs)
^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/venvs/awx/lib64/python3.12/site-packages/rest_framework/serializers.py", line 208, in save
self.instance = self.create(validated_data)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/rbac/api/serializers.py", line 274, in create
assignment = rd.give_permission(actor, obj)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/rbac/models.py", line 187, in give_permission
return self.give_or_remove_permission(actor, content_object, giving=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/rbac/models.py", line 253, in give_or_remove_permission
tracker.sync_relationship(actor, content_object, giving=giving)
File "/home/alancoding/repos/awx/testing/django-ansible-base/ansible_base/rbac/triggers.py", line 320, in sync_relationship
manager = getattr(content_object, self.team_relationship)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: attribute name must be string, not 'NoneType'
```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I am reminded that I vaguely remembered that I needed to add this restriction but never got to the point it was imminent. Now it is:
This prohibits (by default, at least) teams from being given the organization member permission. This is a little more gory than the other checks, which are generalized to a fault. But this relies on the existence of the Organization "member" permission, which DAB RBAC was reluctant to give any first-class treatment for up until now. So that's why it didn't happen before, and why the condition sucks a little bit.
The server error is from the "tracked_relationship" thing, which I am trying to delete as soon as I am able to. But for now, it was erroring when it tried to synchronize team role assignments to the organization users list. That's not a thing. Organization members are a collection of only the User type.
fixes: