Authorise manage tenant quotas as tenant product feature in UI #5123
Conversation
lpichler
changed the title
|
@miq-bot add_label hammer/yes |
| @@ -166,7 +166,7 @@ def rbac_tenant_manage_quotas_reset | |||
| end | |||
|
|
|||
| def rbac_tenant_manage_quotas | |||
| assert_privileges("rbac_tenant_manage_quotas") | |||
| assert_privileges(MiqProductFeature.tenant_identifier('rbac_tenant_manage_quotas', params[:id])) | |||
There was a problem hiding this comment.
Would be better if the call to MiqProductFeature.tenant_identifier lived in assert_privileges, if possible. This way UI developers don't necessarily need to be aware of it.
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
2 times, most recently
from
8ee9ce0
to
2b10a95
Compare
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
2 times, most recently
from
6e97be5
to
46d9603
Compare
|
@miq-bot assign @martinpovolny |
| @@ -2081,6 +2081,10 @@ def identify_tl_or_perf_record | |||
| end | |||
|
|
|||
| def assert_privileges(feature) | |||
| if MiqProductFeature.my_root_tenant_identifier?(feature) && params&.[](:id) | |||
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
from
46d9603
to
685a43f
Compare
app/helpers/application_helper.rb
Outdated
| # return feature that should be checked for the button that came in | ||
| case pressed | ||
| when "rbac_project_add", "rbac_tenant_add" | ||
| "rbac_tenant_add" | ||
| when "rbac_tenant_manage_quotas" | ||
| MiqProductFeature.tenant_identifier('rbac_tenant_manage_quotas', resource_id) |
There was a problem hiding this comment.
Would it make sense to use the same logic as in assert_privileges here?
(As in, don't hardcode rbac_tenant_manage_quotas if this should be happening for every MiqProductFeature.my_root_tenant_identifier?(feature) when resource_id is not nil?)
This would also make it clear that calling tenant_identifier with nil as the second param shouldn't happen.
There was a problem hiding this comment.
all of this method is a hack
there was some generic mechanism and then someone added an "if" there for a particular button
now there's one more of such "if"s.
Then the UI team has to support this for ever.
| @@ -1144,8 +1144,8 @@ def rbac_free_for_custom_button?(task, button_id) | |||
|
|
|||
| def check_button_rbac | |||
| # buttons ids that share a common feature id | |||
| common_buttons = %w(rbac_project_add rbac_tenant_add) | |||
| task = common_buttons.include?(params[:pressed]) ? rbac_common_feature_for_buttons(params[:pressed]) : rbac_feature_id(params[:pressed]) | |||
| common_buttons = %w(rbac_project_add rbac_tenant_add rbac_tenant_manage_quotas) | |||
There was a problem hiding this comment.
you are expanding an exception that was not supposed to be there at all
| @@ -2081,6 +2081,10 @@ def identify_tl_or_perf_record | |||
| end | |||
|
|
|||
| def assert_privileges(feature) | |||
| if MiqProductFeature.my_root_tenant_identifier?(feature) && params.key?(:id) | |||
There was a problem hiding this comment.
assert_privileged was a rather clean method, not a pure function as it talks to a database, but given a state of the models it would return a result that would depend only on its single argument.
Not you are adding a side channel to it -- you talk to params. This goes directly against the cleanup efforts that we are having.
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
3 times, most recently
from
b9014e8
to
100db67
Compare
lpichler
changed the title
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
from
100db67
to
838791c
Compare
|
@martinpovolny @himdel I overrode method |
| @@ -8,6 +8,14 @@ module OpsController::OpsRbac | |||
| 'Tenant' => 'tenant' | |||
| }.freeze | |||
|
|
|||
| def role_allows?(**options) | |||
| if MiqProductFeature.my_root_tenant_identifier?(options[:feature]) && params.key?(:id) | |||
| options[:feature] = MiqProductFeature.tenant_identifier(options[:feature], params[:id].to_s.split("-").last) | |||
There was a problem hiding this comment.
why the split?
According to the tests, this is always just the id, are the tests wrong? ;)
(Or, if we're always dealing with trees, maybe something like ⬇️ ?)
_, _, id = TreeBuilder.extract_node_model_and_id(params[:id])
There was a problem hiding this comment.
yes exactly I was looking for this, 👍
this goes for button (if it should display "Manage Tenant Quotas" button in toolbar) and for controller actions.
lpichler
force-pushed
the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
from
838791c
to
13a3f97
Compare
|
@miq-bot remove_label wip |
|
LGTM, merging now because build reasons 👍 , |
lpichler
deleted the
authorise_manage_tenant_quotas_as_tenant_product_feature
branch
…_as_tenant_product_feature Authorise manage tenant quotas as tenant product feature in UI (cherry picked from commit ae4b7ad) https://bugzilla.redhat.com/show_bug.cgi?id=1468795
|
Hammer backport details: |
WIP:
Scenario:
Let's have tenant structure:
According to the BZ user alpha needs to have forbidden access to managing quotas for tenant Alpha (user alpha) and allowed to managing quotas.
We can use for this recent feature called Dynamic product features according to tenants
that we will authorise dynamic tenant product features (
rbac_tenant_manage_quotas_tenant_<TENANT ID where we want/don't want to manage tenant quotas >) to access managing quotas of .To accomplish this we need to change places where we are authorising
rbac_tenant_manage_quotas_tenanttorbac_tenant_manage_quotas_tenant_<TENANT ID where we want/don't want to manage tenant quotas >This places are in UI and API in the PRs above
User alpha has this setting in role (rbac_tenant_manage_quotas_tenant is checked just for Omega Tenant)
which will forbid managing for tenant alpha
and allow manage quotas for omega tenant
Links
@miq-bot add_label enhancement, blocker