New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #9947 - restrict user taxonomies if none is set #2273
Conversation
dddca9d
to
fc38bed
Compare
TaxableTaxonomy.where(:taxable_type => self.name, :taxonomy_id => taxonomy_ids).pluck(:taxable_id).compact.uniq | ||
conditions = { :taxable_type => self.name } | ||
if taxonomy.present? | ||
taxonomy_ids = Array(taxonomy).map { |t| t.send(inner_method) + t.ancestor_ids }.flatten.uniq |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is the 3rd time this logic appears, should it be extracted to a method?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had same feeling, just didn't know where to put it. It's in Taxonomix, Organization and Location. Maybe it could be Taxonomy class method? (I just don't want to introduce new concern).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would this make it any better?
def used_organization_ids
enforce_default
return [] unless which_organization && SETTINGS[:organizations_enabled]
get_taxonomy_ids(which_organization, which_ancestry_method) { |o, method| o.send(method) + o.ancestor_ids }
end
def get_taxonomy_ids(taxonomy, method, &block)
Array(taxonomy).map { |t| block.call(t, method) }.flatten.uniq
end
98cad2a
to
477a508
Compare
👍 from my side, @domcleal mind having another look? |
a27e599
to
5892ab0
Compare
[test] |
conditions[:organization_id] = org.subtree_ids if org | ||
conditions[:location_id] = loc.subtree_ids if loc | ||
conditions[:organization_id] = Array(org).map {|o| o.subtree_ids }.flatten.uniq if org.present? | ||
conditions[:location_id] = Array(loc).map {|l| l.subtree_ids }.flatten.uniq if loc.present? | ||
where(conditions) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move this to Host::Base?
The code looks good to me. I will test against Discovery.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd change this as a separate PR, we should also move belongs_to
and maybe more methods.
anything I could do to make this reviewed/merged? |
@ares Thanks, good patch, it's almost ready I'd say, but I found what looks like a important problem: This is blocking users from being able to see taxable stuff with no taxonomy assigned. Following on the Redmine issue, try with 3 hosts:
The expected result (I think) should be that the use can see 1 and 3, but not 2. However with this patch the user will only see 1, and 3 is hidden for every user but admins. Other comments:
|
@elobato so as disccussed, the first issue you mention is subject of following discussions and IMHO separate issue other comments
|
Not a big deal really, that's a misconfiguration if there are hosts present without multiorg attrs. |
@domcleal It was probably a bad example, it applies for any object with taxonomies, not only hosts. I just happen to have misconfigured hosts without taxonomies myself. |
the way it works now if you select some org as a user, you also don't see global resources so I'd say if we want to have global resources to be visible (in both any org context and in specific org context) it's a separate issue |
@ares I think we all agree we don't want to have global resources to be visible on specific contexts, however on Any context I think they should be visible. |
@elobato, so I might be the only one that disagree, I'd say that if they are global and we display them in any context, then it means they are also in org A and we should display then in there. I'd say it's either in both or none contexts. Clearly there's no obvious expectation and we can't say if displaying in any context (behaviour until now) was feature or bug, so if there will be some decision, it should be discussed, documented and implemented as separate issue. |
I'm with @ares on this one, clearly admin in any context see everything, non admin users in any context should see only their orgs resources and thats it. having undefined objects pop up, to me, sounds like an alarming security concern then anything else. |
Ok I tested this today - it works as expected ;-) |
No description provided.