diff --git a/rundeckapp/grails-app/conf/AuthorizationFilters.groovy b/rundeckapp/grails-app/conf/AuthorizationFilters.groovy index f70ed479afa..40ef90b5c65 100644 --- a/rundeckapp/grails-app/conf/AuthorizationFilters.groovy +++ b/rundeckapp/grails-app/conf/AuthorizationFilters.groovy @@ -75,6 +75,7 @@ public class AuthorizationFilters { '_dosave': _wf_create, //read 'show': _wf_read, + 'apiJobExport': _wf_read, //update 'update': _wf_update, '_doupdate': _wf_update, @@ -83,16 +84,21 @@ public class AuthorizationFilters { //delete 'delete': _wf_delete, 'deleteBulk': _wf_delete, + 'apiJobDelete': _wf_delete, //run 'execute': _wf_run, 'executeInline': _wf_run, 'runJobNow': _wf_run, 'executeNow': _wf_run, + 'apiJobRun': _wf_run, + 'apiRunCommand': _wf_run, + 'apiRunScript': _wf_run, //combinations// //create+update 'upload': _wf_create_update, + 'apiJobsImport': _wf_create_update, //create+run// 'uploadAndExec': _wf_create_run, @@ -103,11 +109,13 @@ public class AuthorizationFilters { //read 'follow': _wf_read, 'show': _wf_read, + 'apiExecution': _wf_read, 'downloadOutput': _wf_read, 'tailExecutionOutput': _wf_read, //kill 'cancelExecution': _wf_kill, + 'apiExecutionAbort': _wf_kill, ], /* @@ -122,7 +130,10 @@ public class AuthorizationFilters { 'nowrunning': _wf_read, 'nowrunningFragment': _wf_read, 'nowrunningData': _wf_read, + 'apiExecutionsRunning': _wf_read, 'queueFragment': _wf_read, + 'apiJobsList': _wf_read, + 'apiJobsExport': _wf_read, ], /* ReportsController authorizations @@ -135,6 +146,7 @@ public class AuthorizationFilters { 'commands': _ev_read, 'jobs': _ev_read, 'query': _ev_read, + 'apiHistory': _ev_read, ], /* FrameworkController authorizations @@ -146,6 +158,8 @@ public class AuthorizationFilters { 'nodesData': _rs_read, 'nodesFragment': _rs_read, 'listFrameworkResourceInstances': _rs_read, + 'apiProjects': _rs_read, + 'apiProject': _rs_read, ], /* ReportsController authorizations @@ -206,6 +220,13 @@ public class AuthorizationFilters { def roletest = admintest || roleService.isUserInAllRoles(request,authReq) if (!roletest ) { log.error("User ${session.user} UNAUTHORIZED for ${controllerName}/${actionName}"); + if(request.api_version){ + //api request + flash.errorCode="api.error.user-unauthorized" + flash.errorArgs=[session.user,request.forwardURI] + redirect(controller: 'api', action: 'renderError') + return false + } flash.title = "Unauthorized" flash.error = "User: ${session.user} is not authorized" response.setHeader(Constants.X_RUNDECK_ACTION_UNAUTHORIZED_HEADER,flash.error) diff --git a/rundeckapp/grails-app/i18n/messages.properties b/rundeckapp/grails-app/i18n/messages.properties index 60ee9bf542a..3d17b5c8f63 100644 --- a/rundeckapp/grails-app/i18n/messages.properties +++ b/rundeckapp/grails-app/i18n/messages.properties @@ -248,6 +248,7 @@ execution.show.mode.Compact.desc=View all output collated by node # API Messages api.error.api-version.required=RunDeck API Version not specified api.error.api-version.unsupported=RunDeck API Version is not supported: {0} +api.error.user-unauthorized={0} is not authorized for: {1} api.error.unknown=An unknown error occurred api.error.parameter.required=parameter "{0}" is required api.error.item.doesnotexist={0} does not exist: {1}