[katello-devel] Merging ActiveRecord RBAC into the master

Mike McCune mmccune at redhat.com
Fri May 27 19:02:46 UTC 2011 

On 05/27/2011 08:00 AM, Lukas Zapletal wrote:
> Hello,
>
> I am going to merge my AR RBAC work into the master. You will need to do
>
> # rake setup
>
> again. Or you can run this in the rails console if you want:
>
> ActiveRecord::Base.connection.tables.each do |t|
>     Role.allow 'admin_role', [:create, :edit, :destroy], t
> end
>
> The approach is "everybody can do everything". I did my best to test
> everything, unit tests are green, CLI works, UI works. Well product
> creation and system registration do not work (but in master too).
>
> This change affects lots of things and can cause issues. If you will run
> into permission-related issue you can turn AR RBAC by returning "false"
> in the Authorization#enforce? method. But it should be fine.
>

I pushed the below fix because I was running into a timing or 
order-of-execution issue where we are trying to issue a:

notice _("Login Successful")

from the user_sessions_controller.rb when we are logging in but 
User.current isn't set yet so it blows up on a nil class with:

NoMethodError (undefined method `username' for nil:NilClass):
   app/models/authorization.rb:67:in `access_denied'
   app/models/authorization.rb:61:in `enforce_db_permissions'
   app/models/authorization.rb:51:in `enforce_permissions'
   app/models/authorization.rb:37:in `enforce_create_permissions'
   app/controllers/application_controller.rb:85:in `notice'
   app/controllers/user_sessions_controller.rb:41:in `create'
   lib/util/threadsession.rb:79:in `thread_locals'

I spent a bit of time trying to find a proper fix but people were 
blocked and not able to login.

commit 7a8adc27f9e9662195c13855b5d1cfc334fa2418
Author: Mike McCune <mmccune at redhat.com>
Date:   Fri May 27 11:54:16 2011 -0700

     temporary fix so people can login to the webui again

diff --git a/src/app/models/authorization.rb 
b/src/app/models/authorization.rb
index be9af63..89e4028 100644
--- a/src/app/models/authorization.rb
+++ b/src/app/models/authorization.rb
@@ -64,7 +64,13 @@ module Authorization

    def access_denied(operation)
      strid = self.id ? "(id = #{self.id})" : ''
-    msg = "User #{User.current.username} doesn't have permission to 
#{operation} this #{self.class.table_name} #{strid}"
+    msg = nil
+    if User.current.nil?
+      msg = "UNKNOWN USER doesn't have permission to #{operation} this 
#{self.class.table_name} #{strid}"
+    else
+      msg = "User #{User.current.username} doesn't have permission to 
#{operation} this #{self.class.table_name} #{strid}"
+    end
+
      Rails.logger.warn msg
      raise Errors::SecurityViolation, msg
    end

Mike
-- 
Mike McCune
mmccune AT redhat.com
Red Hat Engineering       | Portland, OR
Systems Management        | 650.254.4248

More information about the katello-devel mailing list