Fix object permissions enforcement on Job Buttons #4993
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #4988 (will also be needed in 1.6.x)
What's Changed
job_buttonstemplate tag wasn't considering object-level permissions when determining whether to enable or disable each JobButton it rendered. I added the appropriatehas_permscheck.JobButtonRunViewimplementation was also not considering object-level permissions. In this case this view is redundant as a JobButton's underlying Job can be invoked just as easily through the/extras/jobs/<id>/run/view, which is already enforcing permissions correctly. I've therefore removedJobButtonRunViewrather than attempt to fix it._return_urlparameter to the Job run view.extras.run_jobbuttonpermission on top ofextras.run_jobpermission was redundant, especially since a user withextras.run_jobpermission alone could still run the underlying job without going through the JobButton. I've therefore removedextras.run_jobbuttonas a required permission;extras.run_jobsuffices.ExampleComplexJobButtonReceiverhadn't been completely/correctly updated to work under 2.0, so I fixed it.TODO