Fixes #5929 - Taxonomy filter obey permissions #1479
Conversation
|
|
ares
changed the title
| end | ||
| end | ||
| end | ||
| end |
There was a problem hiding this comment.
A test for this would be good.
There was a problem hiding this comment.
nm, found tests, my apologies.
ares
changed the title
|
lgtm. |
| assoc = assoc_base.pluralize | ||
| key = assoc_base + '_ids' | ||
|
|
||
| next if (User.current.nil? || User.current.send("#{assoc}").empty?) || (!new_record? && !self.send("#{key}_changed?")) |
There was a problem hiding this comment.
Why skip if the user isn't associated to any?
There was a problem hiding this comment.
If user is not restricted to any taxonomy (let's say org in this case) it means he can assign any organization. Imagine the opposite, global user (without taxonomy restriction) would be allowed to assign limited set of organizations. In that case all such users should probably have to be assigned all organizations otherwise they wouldn't be able to work with objects which they can see and have permissions to modify. This would be huge change for existing installations. Also it seems consistent with the fact that object assigned to no taxonomy is considered global.
|
Is the note about "Don't test yet, we may need similar change for other objects" still valid? @isratrade please review and test this, thanks. |
|
Feel free to test, I updated the comment |
|
ping @isratrade or whoever can find some time to test |
|
@ares, I'm OK with merging this, but why did you call the method |
|
It was meant to be consistent with admin flag and roles escalation. Escalation comes from privileges escalation, user could get permissions to work with objects in more taxonomies that was desired. |
|
@isratrade is there anything blocking this PR? |
|
or anyone else? maybe @witlessbird since you already saw the code |
|
ping @isratrade |
|
@ares, I tested this manually in the console for the following and all works as expected.
|
|
@ares, I tested in the UI and see that the multiple select for locations is blank if a non-admin user does not have privilege The log says |
|
Thanks @isratrade, changing labels accordingly. |
|
@ares, I thought that the PUT for |
|
so you need to set two permissions, view_locations let you see the view_location tab, assign_location gives you ability to change the assignment, but it seems you found an issue in corner case when no taxonomy is selected, I'll have to dig a bit deeper, it should probably unassign all locations in case you've described, right? |
With this patch you can assign permissions like assign_organizations and assign_locations to particular user so that they can then assign taxonomies only from set of taxonomies granted by their filters. Global users would be still able to assign any taxonomy to a resource as long as they have appropriate assign permissions. They can also leave the resource global.
|
ah I was wrong, this is expected, if you try to unassign all locations, you'd make the resource available in all locations, but since you're assigned to specific locations, you can't do that, you'd make it available somewhere where you don't have permissions |
|
rebased, setting label back to need testing |
|
@ares, it makes sense, but when testing locally, the current PR doesn't allow a non-admin user with no permission to |
|
So it turned out that we don't display the validation, because multiple select can't display it. We could workaround by adding errors to base which is not ideal. I created a redmine issue for this http://projects.theforeman.org/issues/7319 since it's out of scope of this PR. |
|
@ares, so it appears the validation issue I ran into is an edge case where a user has permission to I'm OK with merging this now. |
|
@isratrade that's correct, unfortunately we'll encounter same behaviour when user has both permissions and tries to disassociate all locations which is not that "corner" |
With this patch you can assign permissions like assign_organizations and
assign_locations to particular user so that they can then assign taxonomies
only from set of taxonomies granted by their filters.