New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes #30394 - allow non-admins deal with untaxed filters #8422
Conversation
Issues: #30394 |
Alternative approach would be checking the role's taxonomies for Filter manipulation, but I believe this is what we want. |
5b80234
to
3b5afb0
Compare
app/models/filter.rb
Outdated
|
||
if organizations.empty? && locations.empty? | ||
if organizations.blank? && locations.blank? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is wrong
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As discussed, please split the actual fix from the refactoring to two commits, otherwise makes sense. Left one nit re empty?
vs blank?
. Also the logging seems to be debuggig leftover :-)
app/models/filter.rb
Outdated
|
||
if organizations.empty? && locations.empty? | ||
if organizations.blank? && locations.blank? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can this ever be nil? even ''
is empty
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so. build_taxonomy_search_string
guarantees to return a string.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've rolled this back, these are not org
and loc
, but organizations
and locations
.
app/services/authorizer.rb
Outdated
find_collection(subject.class, :permission => permission). | ||
where(:id => subject.id).any? | ||
col = find_collection(subject.class, :permission => permission) | ||
Foreman::Logging.logger('permissions').debug col.collect(&:id) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps use a block for the message so col.collect(&:id)
would only be evaluated if the logger is allowed and debug level set (performance nit)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've just removed that.
3b5afb0
to
bcfb7a1
Compare
bcfb7a1
to
be6e3de
Compare
I've split this into two commits to have the rename method separate. |
be6e3de
to
8b1c6da
Compare
app/models/filter.rb
Outdated
orgs = if resource_taxable_by_organization? | ||
build_taxonomy_search_string('organization') | ||
else | ||
'' | ||
end | ||
locs = if resource_taxable_by_location? | ||
build_taxonomy_search_string('location') | ||
else | ||
'' | ||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that I see it here, should build_taxonomy_search_string
instead return ''
if it's not taxable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks much cleaner now :)
60def6a
to
5df1bcd
Compare
I've fixed tests, so I believe it is ready :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just about to test this. Code looks good now, thanks for splitting to two commits, please keep that when merging. I haven't tested, let me know if you need hand with that. Otherwise feel free to merge.
No objections from my side. |
@ares if you have the reproducer ready for testing that would be helpful :) |
This seems to cause problems when there is already a filter with Filter permissions that's scoped to the org/loc. From now on, it's invalid and I don't have a way to fix that from UI, because I no longer see the org/loc tabs for this filter. We may need a migration for this. Otherwise works as expected. |
5df1bcd
to
fd6180d
Compare
Thanks @ares! Great catch! If you could verify the migration fixes the issue for you, it would be great :) |
db/migrate/20210609093404_drop_override_taxonomies_from_filter.rb
Outdated
Show resolved
Hide resolved
61d00d0
to
cbbf0bd
Compare
Prior this non-admin user would have to have assigned Role without taxonomies (global role) to be able to manipulate filters. This allows manipulating Filters to any User with Filter perms. Filters with taxonomies mean they apply to taxonomy. But given they have taxonomies relations, they are expected to be taxable in our permission model. All taxable resources have to have the same taxonomies as Filter have. Some filters doesn't have taxonomies as their underlying resource doesn't have taxonomies. That mean they were unable to be touched by non-admins prior this patch. This also drops current taxonomy relations in migration and force flip the `Override` flag to false for Filter resource filters.
This renames the taxable check methods on Filter to better express what they mean. We want to know it the resource is taxable, not if it has search on taxonomy.
cbbf0bd
to
cab4d3a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, any other comments @ares ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, the migration passes. Merging!
Cherry pick in GH-8616 |
Prior this non-admin user would have to have assigned Role without
taxonomies (global role) to be able to manipulate filters.
This allows manipulating Filters to any User with Filter perms.
Filters with taxonomies mean they apply to taxonomy. But given they have
taxonomies relations, they are expected to be taxable in our permission
model. All taxable resources have to have the same taxonomies as Filter
have.
Some filters doesn't have taxonomies as their underlying resource
doesn't have taxonomies. That mean they were unable to be touched by
non-admins prior this patch.
This also renames the taxable checks to express beter what they mean.