"Join public beta program" button does not work in private OBS instance (LDAP related?)

[seife]

Issue Description

In my private OBS instance, running OBS 2.10.0 on SLES12-SP4, the "Join public beta program" button does nothing. (Ok, not nothing, "user data for user 'xxx' successfully updated" appears, but nothing is updated, the button stays the same and in the database, the "in_beta" field is not updated.

Expected Result

The user is in the "in_beta" group.

Further Information

production.log shows the following for that action:

I, [2019-07-18T08:26:00.816257 #5333]  INFO -- : [99e2d46f-4cc8-47bc-9474-c75591999651] [5333:3563.93] method=POST path=/user/save format=html controller=Webui::UserController action=save status=302 duration=10.51 view=0.00 db=1.97 location=https://my.obs/user/show/my_user params={"_method"=>"post", "authenticity_token"=>"T9aiitMgaJVTcEZdDbGgos+C3qlU3KagjGqdypPAQeuyizF6ujAw5yJZWmFj9pVMDvIyS8so3nWwlL8/2Ec6xA==", "user"=>{"in_beta"=>"1", "login"=>"my_user"}} host=10.28.205.215 time=5380.92 backend=0 user=my_user
W, [2019-07-18T08:26:00.898938 #5333]  WARN -- : [056c54f2-edd4-45dc-97c2-b08d675e370d] [5333:3564.01] DEPRECATION WARNING: Dangerous query method (method whose arguments are used as raw SQL) called with non-attribute argument(s): "projects.name as pname". Non-attribute arguments will be disallowed in Rails 6.0. This method should not be called with user-provided values, such as request parameters or model attributes. Known-safe values can be passed by wrapping them in Arel.sql(). (called from show at /srv/www/obs/api/app/controllers/webui/user_controller.rb:19)
I, [2019-07-18T08:26:00.967508 #5333]  INFO -- : [056c54f2-edd4-45dc-97c2-b08d675e370d] [5333:3564.08] method=GET path=/user/show/my_user format=html controller=Webui::UserController action=show status=200 duration=81.84 view=54.84 db=7.24 params={"user"=>"my_user"} host=10.28.205.215 time=5381.00 backend=0 user=d064615

mysql database entry for my_user:

MariaDB [api_production]> select * from users where `login` = "d064615";
+----+---------------------+----------------------------+---------------------+---------------------+---------+-------------------------+------------------+-----------------+----------------------------------+-------------------------------+--------------------------+-----------------------+-----------+----------+----------------------+---------+
| id | created_at          | updated_at                 | last_logged_in_at   | login_failure_count | login   | email                   | realname         | password_digest | deprecated_password              | deprecated_password_hash_type | deprecated_password_salt | adminnote             | state     | owner_id | ignore_auth_services | in_beta |
+----+---------------------+----------------------------+---------------------+---------------------+---------+-------------------------+------------------+-----------------+----------------------------------+-------------------------------+--------------------------+-----------------------+-----------+----------+----------------------+---------+
| 57 | 2015-09-02 07:27:33 | 2019-07-18 07:46:15.032730 | 2019-07-18 07:46:15 |                   0 | my_user| stefan.seyfried@my.obs | Seyfried, Stefan | NULL            | xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | md5                           | xxxxxxxxxx               | User created via LDAP | confirmed |     NULL |                    0 |       0 |
+----+---------------------+----------------------------+---------------------+---------------------+---------+-------------------------+------------------+-----------------+----------------------------------+-------------------------------+--------------------------+-----------------------+-----------+----------+----------------------+---------+

Note that "my_user" is admin.
Another user, who is not admin gets "Can't edit " instead of the "User data for ... successfully updated"

[hennevogel]

Do you have any feature in beta? There is a configuration file config/features.yml. What is it you try to achieve?

[seife]

of course.

obs:/usr/lib/obs/server # cat /srv/www/obs/api/config/feature.yml 
production:
  features: &default
    image_templates: true
    kiwi_image_editor: false
    cloud_upload: false
    cloud_upload_azure: false
    bootstrap: true

development:
  features:
    <<: *default
    kiwi_image_editor: true
    cloud_upload: true
    cloud_upload_azure: true

test:
  features:
    <<: *default
    kiwi_image_editor: true
    cloud_upload: true
    cloud_upload_azure: true

beta:
  features:
    <<: *default
    kiwi_image_editor: true
    cloud_upload: true
    cloud_upload_azure: true

(That's the default as shipped in obs-api.rpm)
I want to enable the kiwi_image_editor.
It works if I manually change the in_beta flag in the database.

[hennevogel]

I can not reproduce this. Can you turn on debug logging in config/environments/production.rb by changing config.log_level = :debug

[seife]

This is :debug production.log with my (admin) user trying to enable beta mode.

delme1.txt

[seife]

app/controllers/webui/user_controller.rb:

 46     unless User.admin_session?
 47       if User.session! != @displayed_user || !@configuration.accounts_editable?(@displayed_user)
 48         flash[:error] = "Can't edit #{@displayed_user.login}"
 49         redirect_back(fallback_location: root_path)
 50         return
 51       end
 52     end
 53 
 54     if @configuration.accounts_editable?(@displayed_user)
 55       @displayed_user.assign_attributes(params[:user].slice(:realname, :email, :in_beta).permit!)
 56     end

probably, accounts_editable is false for LDAP users?

Line 46-52 explains, why a "normal" user gets an error, while the admin user doesn't and the setting is just quietly dismissed.

[hennevogel]

Ah LDAP, okay. I guess we did not think about this vector. I guess for now you can enable the Kiwi Editor for everybody in feature.yml?

[vpereira]

Does it still relevant @hennevogel ?

[hennevogel]

Sure.