Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #13164 - adding view_params permission #3592

Closed
wants to merge 1 commit into from
Closed

Fixes #13164 - adding view_params permission #3592

wants to merge 1 commit into from

Conversation

ares
Copy link
Member

@ares ares commented Jun 15, 2016

No description provided.

@theforeman-bot
Copy link
Member

There were the following issues with the commit message:

  • c321ca8 must be in the format fixes #redmine_number - brief description

If you don't have a ticket number, please create an issue in Redmine, selecting the appropriate project.

More guidelines are available in Coding Standards or on the Foreman wiki.

This message was auto-generated by Foreman's prprocessor

tbrisker
tbrisker reviewed Jun 15, 2016
View reviewed changes
app/models/concerns/host_params.rb
@@ -37,7 +37,7 @@ def host_params
return cached_host_params unless cached_host_params.blank?
hp = host_inherited_params
# and now read host parameters, override if required
host_parameters.each {|p| hp.update Hash[p.name => p.value] }
host_parameters.authorized(:view_params).each {|p| hp.update Hash[p.name => p.value] }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: why not host_parameters.authorized(:view_params).each {|p| hp[p.name] = p.value }?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's unrelated to my changes but reads much better, will do

@ares ares changed the title [WIP] Fixes #13164 - adding view_params permission Fixes #13164 - adding view_params permission Jun 15, 2016
@ares
Copy link
Member Author

ares commented Jun 15, 2016

builds on top of #3060 (commits from that PR squashed), I fixed few more things

  • migration uses fake models to avoid callbacks/validations problems in future
  • fixed tests that were using the fact that viewing params was unauthorized
  • re-allow parameter tab to be displayed for host/host groups since there are also smart class parameters to be edited
  • fixed authorizer to work with Parameter STI
  • added missing parameter check to methods loading inherited params

@orrabin orrabin mentioned this pull request Jun 20, 2016
Closed
@tbrisker tbrisker self-assigned this Jun 21, 2016
@tbrisker
Copy link
Member

I've noticed several issues by adding a role that allows all the parameter actions filtered by name:

  • When creating a filter with Parameter permissions, the autocomplete does not work for the search field.
  • Giving permission to view_params does not allow seeing global parameters in the menu. There seems to be some duplication between the "Parameter" and "Common parameter" resource types. I would prefer if there was only one resource type with the option of specifying "parameter type" filter perhaps, as this is confusing.
  • In the host edit form, global parameters are displayed under the Inherited Parameters header even if they don't match the filter (even if we leave the common parameter resource, they are not filtered even if user has no option to see global params).
  • Adding a filter to the common params resource (for example by name) does not allow seeing anything under the global params index page, even if there are global params that match the filter.
  • A user can create a parameter that does not match the filter. For example, if the user is only allowed to CRUD params matching "name ~ a", he can create a parameter with name "ddd" that will be created (but that he cannot see). Moreover, if there is a validation error (for example, empty value), the user will not see the error..

@ares
Copy link
Member Author

ares commented Jun 21, 2016

When creating a filter with Parameter permissions, the autocomplete does not work for the search field.

I'll look into this.

Giving permission to view_params does not allow seeing global parameters in the menu. There seems to be some duplication between the "Parameter" and "Common parameter" resource types. I would prefer if there was only one resource type with the option of specifying "parameter type" filter perhaps, as this is confusing.

Totally agree but that's out of the scope for this PR. We have 3 permission sets now, one for any lookup keys (smart variables + smart class parameters), one for Global parameters and one for the rest of "global" parameters e.g. DomainParameter.

In the host edit form, global parameters are displayed under the Inherited Parameters header even if they don't match the filter (even if we leave the common parameter resource, they are not filtered even if user has no option to see global params).

Can you reproduce this without the PR as well? It might be different issue since global params use different permission.

Adding a filter to the common params resource (for example by name) does not allow seeing anything under the global params index page, even if there are global params that match the filter.

I think the same as above apply.

A user can create a parameter that does not match the filter. For example, if the user is only allowed to CRUD params matching "name ~ a", he can create a parameter with name "ddd" that will be created (but that he cannot see). Moreover, if there is a validation error (for example, empty value), the user will not see the error..

This is known limitation of permission system. Since it's based on scope search which can only limit persisted data using SQL query we have no way to determine if the object that's being created fits conditions. There was a design for how to solve it but it was not implemented, I don't remember anyone asking it. Validation error might be something specific to parameters though.

@ares
Copy link
Member Author

ares commented Jun 21, 2016

When creating a filter with Parameter permissions, the autocomplete does not work for the search field.

We ignore auto complete on purpose since there's no controller we could use for auto-completion in this case. 1) we don't know what exact type of parameter we'd search for, 2) there's a controller only for global parameters, other are handled by domain/os/hostgroup/host controllers

I'd recommend keeping it as it is and improve permissions first. @orrabin suggested adding params permissions per resource in original PR. Either this or maybe it would make sense to split permissions per parameter type e.g. Domain parameter, OsParameter etc. In such case we could add auto-completion.

@tbrisker
Copy link
Member

tbrisker commented Jun 21, 2016
edited
Loading

Adding a filter to the common params resource (for example by name) does not allow seeing anything under the global params index page, even if there are global params that match the filter.

I think the same as above apply.

This works correctly on develop. The other one is indeed also broken on develop.

@tbrisker
Copy link
Member

@ares I'm not very happy with having so many permissions for similar things but I agree this is out of scope for this PR.
Could you please open a refactor issue on redmine to handle merging the permission sets?
As for autocomplete, we could add a controller that only does autocomplete for Parameter, but I guess this could also be part of the aforementioned refactoring (if we have a parameter controller, we could have the global parameters page show all parameter types rather then just globals and allow filtering by type)

@ares
Copy link
Member Author

ares commented Jun 22, 2016

@tbrisker I fixed the common parameter issue, good catch. I opened refactoring issue for permissions refactoring.

@tbrisker
Copy link
Member

LGTM, I did some manual test with the new permission with various filters and it seems to fix the issue at hand and this seems to work well.
Just a couple of minor points left:

  • Add the view_params permission to the Site Manager role in the seed and to the existing role like we do for viewer.
  • Squash the two commits together and add a short explanation to the commit message.

After that, if there are no objections, I believe we are good to merge.

@ares
Copy link
Member Author

ares commented Jun 23, 2016
edited
Loading

I've updated seed and migration. I think in these rare cases where PR contains more commits we merge them to one during cherry-pick and just credit authors on merge. I can do it in here if you want, I hope @orrabin is OK with my changes being recorded under her name (which makes her responsible for bugs I left there :-)

@ares
Copy link
Member Author

ares commented Jun 23, 2016

[test] failure is unrelated

@orrabin @ares
Fixes #13164 - adding view_params permission
6f0c45e 
A new view_params permission was added for parameters inheriting from
Parameter object. The only exception is global parameters which are
already handled by filter for CommonParameter resource.

This new permissions is also automatically added to viewer and site
manager roles. With the patch it's now possible to use granular filters
for all parameters that Foreman supports.

Contributions from:
* Ori Rabin (orrabin) <orabin@redhat.com>
* Marek Hulán (ares) <mhulan@redhat.com>
@tbrisker
Copy link
Member

Merged as c7f55be, with minor modification to commit message. Thanks @orrabin and @ares!

@tbrisker tbrisker closed this Jun 23, 2016
@tbrisker
Copy link
Member

@ares @orrabin this will need a release note in the 1.13 manual once it is branched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@tbrisker tbrisker

Labels
Ready to merge
Projects
None yet
Milestone
No milestone
4 participants
@ares @theforeman-bot @tbrisker @orrabin