Fixes #30394 - allow non-admins deal with untaxed filters #8422
Conversation
|
Issues: #30394 |
|
Alternative approach would be checking the role's taxonomies for Filter manipulation, but I believe this is what we want. |
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
5b80234
to
3b5afb0
Compare
app/models/filter.rb
Outdated
|
|
||
| if organizations.empty? && locations.empty? | ||
| if organizations.blank? && locations.blank? |
app/models/filter.rb
Outdated
|
|
||
| if organizations.empty? && locations.empty? | ||
| if organizations.blank? && locations.blank? |
There was a problem hiding this comment.
can this ever be nil? even '' is empty
There was a problem hiding this comment.
I don't think so. build_taxonomy_search_string guarantees to return a string.
There was a problem hiding this comment.
I've rolled this back, these are not org and loc, but organizations and locations.
app/services/authorizer.rb
Outdated
| find_collection(subject.class, :permission => permission). | ||
| where(:id => subject.id).any? | ||
| col = find_collection(subject.class, :permission => permission) | ||
| Foreman::Logging.logger('permissions').debug col.collect(&:id) |
There was a problem hiding this comment.
perhaps use a block for the message so col.collect(&:id) would only be evaluated if the logger is allowed and debug level set (performance nit)
There was a problem hiding this comment.
I've just removed that.
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
3b5afb0
to
bcfb7a1
Compare
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
bcfb7a1
to
be6e3de
Compare
|
I've split this into two commits to have the rename method separate. |
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
be6e3de
to
8b1c6da
Compare
app/models/filter.rb
Outdated
| orgs = if resource_taxable_by_organization? | ||
| build_taxonomy_search_string('organization') | ||
| else | ||
| '' | ||
| end | ||
| locs = if resource_taxable_by_location? | ||
| build_taxonomy_search_string('location') | ||
| else | ||
| '' | ||
| end |
There was a problem hiding this comment.
Now that I see it here, should build_taxonomy_search_string instead return '' if it's not taxable?
There was a problem hiding this comment.
looks much cleaner now :)
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
3 times, most recently
from
60def6a
to
5df1bcd
Compare
|
I've fixed tests, so I believe it is ready :) |
|
No objections from my side. |
|
@ares if you have the reproducer ready for testing that would be helpful :) |
|
This seems to cause problems when there is already a filter with Filter permissions that's scoped to the org/loc. From now on, it's invalid and I don't have a way to fix that from UI, because I no longer see the org/loc tabs for this filter. We may need a migration for this. Otherwise works as expected. |
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
5df1bcd
to
fd6180d
Compare
|
Thanks @ares! Great catch! If you could verify the migration fixes the issue for you, it would be great :) |
db/migrate/20210609093404_drop_override_taxonomies_from_filter.rb
Outdated
Show resolved
Hide resolved
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
61d00d0
to
cbbf0bd
Compare
Prior this non-admin user would have to have assigned Role without taxonomies (global role) to be able to manipulate filters. This allows manipulating Filters to any User with Filter perms. Filters with taxonomies mean they apply to taxonomy. But given they have taxonomies relations, they are expected to be taxable in our permission model. All taxable resources have to have the same taxonomies as Filter have. Some filters doesn't have taxonomies as their underlying resource doesn't have taxonomies. That mean they were unable to be touched by non-admins prior this patch. This also drops current taxonomy relations in migration and force flip the `Override` flag to false for Filter resource filters.
This renames the taxable check methods on Filter to better express what they mean. We want to know it the resource is taxable, not if it has search on taxonomy.
ezr-ondrej
force-pushed
the
filters_not_taxable
branch
from
cbbf0bd
to
cab4d3a
Compare
ezr-ondrej
added
the
Needs cherrypick
|
Cherry pick in GH-8616 |
tbrisker
removed
the
Needs cherrypick
Prior this non-admin user would have to have assigned Role without
taxonomies (global role) to be able to manipulate filters.
This allows manipulating Filters to any User with Filter perms.
Filters with taxonomies mean they apply to taxonomy. But given they have
taxonomies relations, they are expected to be taxable in our permission
model. All taxable resources have to have the same taxonomies as Filter
have.
Some filters doesn't have taxonomies as their underlying resource
doesn't have taxonomies. That mean they were unable to be touched by
non-admins prior this patch.
This also renames the taxable checks to express beter what they mean.