Fixes #30387 - Remove view_bookmarks permission

Users should always be able to see public bookmarks and their own bookmarks, a permission is not needed for this case.
theforeman · Jun 16, 2021 · 81512f7 · 81512f7
1 parent 68ca9ee
commit 81512f7
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 17 deletions.
diff --git a/app/controllers/concerns/foreman/controller/bookmark_common.rb b/app/controllers/concerns/foreman/controller/bookmark_common.rb
@@ -1,9 +1,9 @@
 module Foreman::Controller::BookmarkCommon
   def resource_base
-    super.my_bookmarks
+    Bookmark.my_bookmarks
   end
 
   def resource_scope(*args)
-    super.my_bookmarks
+    Bookmark.my_bookmarks
   end
 end
diff --git a/app/registries/foreman/access_permissions.rb b/app/registries/foreman/access_permissions.rb
@@ -5,13 +5,19 @@
   permission_set.security_block :public do |map|
     map.permission :user_logout, { :users => [:logout] }, :public => true
     map.permission :view_current_user, { :"api/v2/users" => [:show_current] }, public: :true
-    map.permission :my_account, { :users => [:edit],
+    map.permission :my_account, {
+      :users => [:edit],
       :notification_recipients => [:index, :update, :destroy, :update_group_as_read, :destroy_group],
-      :"api/v2/table_preferences" => [:show, :create, :edit, :delete, :index]}, :public => true
+      :"api/v2/table_preferences" => [:show, :create, :edit, :delete, :index],
+    }, :public => true
     map.permission :api_status, { :"api/v2/home" => [:status]}, :public => true
     map.permission :about_index, { :about => [:index] }, :public => true
     map.permission :user_menu, { :user_menus => [:menu] }, :public => true
     map.permission :links, { :links => [:show] }, :public => true
+    map.permission :bookmarks, {
+      :bookmarks => [:index, :show, :auto_complete_search, :welcome],
+      :"api/v2/bookmarks" => [:index, :show],
+    }, :public => true
   end
 
   permission_set.security_block :architectures do |map|
@@ -52,9 +58,6 @@
   end
 
   permission_set.security_block :bookmarks do |map|
-    map.permission :view_bookmarks,
-      :bookmarks => [:index, :show, :auto_complete_search, :welcome],
-      :"api/v2/bookmarks" => [:index, :show]
     map.permission :create_bookmarks,
       :bookmarks => [:new, :create],
       :"api/v2/bookmarks" => [:new, :create]

diff --git a/db/migrate/20210502113529_drop_view_bookmarks_permission.rb b/db/migrate/20210502113529_drop_view_bookmarks_permission.rb
@@ -0,0 +1,11 @@
+class DropViewBookmarksPermission < ActiveRecord::Migration[6.0]
+  def up
+    Permission.where(name: 'view_bookmarks').destroy_all
+    # clean up any empty filters left behind
+    Filter.where.not(id: Filtering.distinct.select(:filter_id)).destroy_all
+  end
+
+  def down
+    # Will be recreated automatically by seeds
+  end
+end
diff --git a/db/seeds.d/020-permissions_list.rb b/db/seeds.d/020-permissions_list.rb
@@ -11,7 +11,6 @@ def permissions
         ['AuthSource', 'create_authenticators'],
         ['AuthSource', 'edit_authenticators'],
         ['AuthSource', 'destroy_authenticators'],
-        ['Bookmark', 'view_bookmarks'],
         ['Bookmark', 'create_bookmarks'],
         ['Bookmark', 'edit_bookmarks'],
         ['Bookmark', 'destroy_bookmarks'],

diff --git a/db/seeds.d/020-roles_list.rb b/db/seeds.d/020-roles_list.rb
@@ -30,7 +30,7 @@ def seeded_roles
                                              :view_users, :edit_users, :view_realms, :view_mail_notifications,
                                              :view_params, :view_ssh_keys, :view_personal_access_tokens],
                             :description => 'Role granting mostly view permissions but also permissions required for managing hosts in the infrastructure. Users with this role can update puppet parameters, create and edit hosts, manage installation media, subnets, usergroups and edit existing users.' },
-        'Bookmarks manager' => { :permissions => [:view_bookmarks, :create_bookmarks, :edit_bookmarks, :destroy_bookmarks],
+        'Bookmarks manager' => { :permissions => [:create_bookmarks, :edit_bookmarks, :destroy_bookmarks],
                                  :description => 'Role granting permissions for managing search bookmarks. Usually useful in combination with Viewer role. This role also grants the permission to update all public bookmarks.' },
         'Auditor' => { :permissions => [:view_audit_logs],
                        :description => 'Role granting permission to view only the Audit log and nothing else.',
@@ -40,7 +40,7 @@ def seeded_roles
 
     def default_role
       {
-        'Default role' => { permissions: [:view_bookmarks, :view_tasks],
+        'Default role' => { permissions: [:view_tasks],
                             description: 'Role that is automatically assigned to every user in the system. Adding a permission grants it to everybody',
         },
       }

diff --git a/test/fixtures/permissions.yml b/test/fixtures/permissions.yml
@@ -39,11 +39,6 @@ destroy_authenticators:
   resource_type: AuthSource
   created_at: "2013-12-04 08:41:04.414794"
   updated_at: "2013-12-04 08:41:04.414794"
-view_bookmarks:
-  name: view_bookmarks
-  resource_type: Bookmark
-  created_at: "2013-12-04 08:41:04.423092"
-  updated_at: "2013-12-04 08:41:04.423092"
 create_bookmarks:
   name: create_bookmarks
   resource_type: Bookmark

diff --git a/test/graphql/mutations/bookmarks/delete_mutation_test.rb b/test/graphql/mutations/bookmarks/delete_mutation_test.rb
@@ -42,10 +42,10 @@ class DeleteMutationTest < ActiveSupport::TestCase
         end
       end
 
-      context 'with user with view permissions' do
+      context 'with user without permissions' do
         setup do
           bookmark
-          @user = setup_user 'view', 'bookmarks'
+          @user = FactoryBot.create(:user)
         end
 
         test 'cannot delete a bookmark' do