[katello-devel] Merging ActiveRecord RBAC into the master
Mike McCune
mmccune at redhat.com
Fri May 27 20:21:50 UTC 2011
On 05/27/2011 12:02 PM, Mike McCune wrote:
> On 05/27/2011 08:00 AM, Lukas Zapletal wrote:
>> Hello,
>>
>> I am going to merge my AR RBAC work into the master. You will need to do
>>
>> # rake setup
>>
>> again. Or you can run this in the rails console if you want:
>>
>> ActiveRecord::Base.connection.tables.each do |t|
>> Role.allow 'admin_role', [:create, :edit, :destroy], t
>> end
>>
>> The approach is "everybody can do everything". I did my best to test
>> everything, unit tests are green, CLI works, UI works. Well product
>> creation and system registration do not work (but in master too).
>>
>> This change affects lots of things and can cause issues. If you will run
>> into permission-related issue you can turn AR RBAC by returning "false"
>> in the Authorization#enforce? method. But it should be fine.
>>
>
> I pushed the below fix because I was running into a timing or
> order-of-execution issue where we are trying to issue a:
>
> notice _("Login Successful")
>
> from the user_sessions_controller.rb when we are logging in but
> User.current isn't set yet so it blows up on a nil class with:
>
> NoMethodError (undefined method `username' for nil:NilClass):
> app/models/authorization.rb:67:in `access_denied'
> app/models/authorization.rb:61:in `enforce_db_permissions'
> app/models/authorization.rb:51:in `enforce_permissions'
> app/models/authorization.rb:37:in `enforce_create_permissions'
> app/controllers/application_controller.rb:85:in `notice'
> app/controllers/user_sessions_controller.rb:41:in `create'
> lib/util/threadsession.rb:79:in `thread_locals'
>
> I spent a bit of time trying to find a proper fix but people were
> blocked and not able to login.
>
> commit 7a8adc27f9e9662195c13855b5d1cfc334fa2418
> Author: Mike McCune<mmccune at redhat.com>
> Date: Fri May 27 11:54:16 2011 -0700
>
> temporary fix so people can login to the webui again
>
> diff --git a/src/app/models/authorization.rb
> b/src/app/models/authorization.rb
> index be9af63..89e4028 100644
> --- a/src/app/models/authorization.rb
> +++ b/src/app/models/authorization.rb
> @@ -64,7 +64,13 @@ module Authorization
>
> def access_denied(operation)
> strid = self.id ? "(id = #{self.id})" : ''
> - msg = "User #{User.current.username} doesn't have permission to
> #{operation} this #{self.class.table_name} #{strid}"
> + msg = nil
> + if User.current.nil?
> + msg = "UNKNOWN USER doesn't have permission to #{operation} this
> #{self.class.table_name} #{strid}"
> + else
> + msg = "User #{User.current.username} doesn't have permission to
> #{operation} this #{self.class.table_name} #{strid}"
> + end
> +
> Rails.logger.warn msg
> raise Errors::SecurityViolation, msg
> end
>
> Mike
Also seeing this error:
https://bugzilla.redhat.com/show_bug.cgi?id=708494#c1
Mike
--
Mike McCune
mmccune AT redhat.com
Red Hat Engineering | Portland, OR
Systems Management | 650.254.4248
More information about the katello-devel
mailing list