-
Notifications
You must be signed in to change notification settings - Fork 982
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #13164 - adding view_params permission #3592
Conversation
There were the following issues with the commit message:
If you don't have a ticket number, please create an issue in Redmine, selecting the appropriate project. More guidelines are available in Coding Standards or on the Foreman wiki. This message was auto-generated by Foreman's prprocessor |
@@ -37,7 +37,7 @@ def host_params | |||
return cached_host_params unless cached_host_params.blank? | |||
hp = host_inherited_params | |||
# and now read host parameters, override if required | |||
host_parameters.each {|p| hp.update Hash[p.name => p.value] } | |||
host_parameters.authorized(:view_params).each {|p| hp.update Hash[p.name => p.value] } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick: why not host_parameters.authorized(:view_params).each {|p| hp[p.name] = p.value }
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's unrelated to my changes but reads much better, will do
builds on top of #3060 (commits from that PR squashed), I fixed few more things
|
I've noticed several issues by adding a role that allows all the parameter actions filtered by name:
|
I'll look into this.
Totally agree but that's out of the scope for this PR. We have 3 permission sets now, one for any lookup keys (smart variables + smart class parameters), one for Global parameters and one for the rest of "global" parameters e.g. DomainParameter.
Can you reproduce this without the PR as well? It might be different issue since global params use different permission.
I think the same as above apply.
This is known limitation of permission system. Since it's based on scope search which can only limit persisted data using SQL query we have no way to determine if the object that's being created fits conditions. There was a design for how to solve it but it was not implemented, I don't remember anyone asking it. Validation error might be something specific to parameters though. |
We ignore auto complete on purpose since there's no controller we could use for auto-completion in this case. 1) we don't know what exact type of parameter we'd search for, 2) there's a controller only for global parameters, other are handled by domain/os/hostgroup/host controllers I'd recommend keeping it as it is and improve permissions first. @orrabin suggested adding params permissions per resource in original PR. Either this or maybe it would make sense to split permissions per parameter type e.g. Domain parameter, OsParameter etc. In such case we could add auto-completion. |
This works correctly on develop. The other one is indeed also broken on develop. |
@ares I'm not very happy with having so many permissions for similar things but I agree this is out of scope for this PR. |
@tbrisker I fixed the common parameter issue, good catch. I opened refactoring issue for permissions refactoring. |
LGTM, I did some manual test with the new permission with various filters and it seems to fix the issue at hand and this seems to work well.
After that, if there are no objections, I believe we are good to merge. |
I've updated seed and migration. I think in these rare cases where PR contains more commits we merge them to one during cherry-pick and just credit authors on merge. I can do it in here if you want, I hope @orrabin is OK with my changes being recorded under her name (which makes her responsible for bugs I left there :-) |
[test] failure is unrelated |
A new view_params permission was added for parameters inheriting from Parameter object. The only exception is global parameters which are already handled by filter for CommonParameter resource. This new permissions is also automatically added to viewer and site manager roles. With the patch it's now possible to use granular filters for all parameters that Foreman supports. Contributions from: * Ori Rabin (orrabin) <orabin@redhat.com> * Marek Hulán (ares) <mhulan@redhat.com>
No description provided.