[katello-devel] Merging ActiveRecord RBAC into the master
Mike McCune
mmccune at redhat.com
Fri May 27 19:02:46 UTC 2011
On 05/27/2011 08:00 AM, Lukas Zapletal wrote:
> Hello,
>
> I am going to merge my AR RBAC work into the master. You will need to do
>
> # rake setup
>
> again. Or you can run this in the rails console if you want:
>
> ActiveRecord::Base.connection.tables.each do |t|
> Role.allow 'admin_role', [:create, :edit, :destroy], t
> end
>
> The approach is "everybody can do everything". I did my best to test
> everything, unit tests are green, CLI works, UI works. Well product
> creation and system registration do not work (but in master too).
>
> This change affects lots of things and can cause issues. If you will run
> into permission-related issue you can turn AR RBAC by returning "false"
> in the Authorization#enforce? method. But it should be fine.
>
I pushed the below fix because I was running into a timing or
order-of-execution issue where we are trying to issue a:
notice _("Login Successful")
from the user_sessions_controller.rb when we are logging in but
User.current isn't set yet so it blows up on a nil class with:
NoMethodError (undefined method `username' for nil:NilClass):
app/models/authorization.rb:67:in `access_denied'
app/models/authorization.rb:61:in `enforce_db_permissions'
app/models/authorization.rb:51:in `enforce_permissions'
app/models/authorization.rb:37:in `enforce_create_permissions'
app/controllers/application_controller.rb:85:in `notice'
app/controllers/user_sessions_controller.rb:41:in `create'
lib/util/threadsession.rb:79:in `thread_locals'
I spent a bit of time trying to find a proper fix but people were
blocked and not able to login.
commit 7a8adc27f9e9662195c13855b5d1cfc334fa2418
Author: Mike McCune <mmccune at redhat.com>
Date: Fri May 27 11:54:16 2011 -0700
temporary fix so people can login to the webui again
diff --git a/src/app/models/authorization.rb
b/src/app/models/authorization.rb
index be9af63..89e4028 100644
--- a/src/app/models/authorization.rb
+++ b/src/app/models/authorization.rb
@@ -64,7 +64,13 @@ module Authorization
def access_denied(operation)
strid = self.id ? "(id = #{self.id})" : ''
- msg = "User #{User.current.username} doesn't have permission to
#{operation} this #{self.class.table_name} #{strid}"
+ msg = nil
+ if User.current.nil?
+ msg = "UNKNOWN USER doesn't have permission to #{operation} this
#{self.class.table_name} #{strid}"
+ else
+ msg = "User #{User.current.username} doesn't have permission to
#{operation} this #{self.class.table_name} #{strid}"
+ end
+
Rails.logger.warn msg
raise Errors::SecurityViolation, msg
end
Mike
--
Mike McCune
mmccune AT redhat.com
Red Hat Engineering | Portland, OR
Systems Management | 650.254.4248
More information about the katello-devel
mailing list