[katello-devel] Merging ActiveRecord RBAC into the master

Mike McCune mmccune at redhat.com
Fri May 27 20:21:50 UTC 2011 

On 05/27/2011 12:02 PM, Mike McCune wrote:
> On 05/27/2011 08:00 AM, Lukas Zapletal wrote:
>> Hello,
>>
>> I am going to merge my AR RBAC work into the master. You will need to do
>>
>> # rake setup
>>
>> again. Or you can run this in the rails console if you want:
>>
>> ActiveRecord::Base.connection.tables.each do |t|
>>      Role.allow 'admin_role', [:create, :edit, :destroy], t
>> end
>>
>> The approach is "everybody can do everything". I did my best to test
>> everything, unit tests are green, CLI works, UI works. Well product
>> creation and system registration do not work (but in master too).
>>
>> This change affects lots of things and can cause issues. If you will run
>> into permission-related issue you can turn AR RBAC by returning "false"
>> in the Authorization#enforce? method. But it should be fine.
>>
>
> I pushed the below fix because I was running into a timing or
> order-of-execution issue where we are trying to issue a:
>
> notice _("Login Successful")
>
> from the user_sessions_controller.rb when we are logging in but
> User.current isn't set yet so it blows up on a nil class with:
>
> NoMethodError (undefined method `username' for nil:NilClass):
>     app/models/authorization.rb:67:in `access_denied'
>     app/models/authorization.rb:61:in `enforce_db_permissions'
>     app/models/authorization.rb:51:in `enforce_permissions'
>     app/models/authorization.rb:37:in `enforce_create_permissions'
>     app/controllers/application_controller.rb:85:in `notice'
>     app/controllers/user_sessions_controller.rb:41:in `create'
>     lib/util/threadsession.rb:79:in `thread_locals'
>
> I spent a bit of time trying to find a proper fix but people were
> blocked and not able to login.
>
> commit 7a8adc27f9e9662195c13855b5d1cfc334fa2418
> Author: Mike McCune<mmccune at redhat.com>
> Date:   Fri May 27 11:54:16 2011 -0700
>
>       temporary fix so people can login to the webui again
>
> diff --git a/src/app/models/authorization.rb
> b/src/app/models/authorization.rb
> index be9af63..89e4028 100644
> --- a/src/app/models/authorization.rb
> +++ b/src/app/models/authorization.rb
> @@ -64,7 +64,13 @@ module Authorization
>
>      def access_denied(operation)
>        strid = self.id ? "(id = #{self.id})" : ''
> -    msg = "User #{User.current.username} doesn't have permission to
> #{operation} this #{self.class.table_name} #{strid}"
> +    msg = nil
> +    if User.current.nil?
> +      msg = "UNKNOWN USER doesn't have permission to #{operation} this
> #{self.class.table_name} #{strid}"
> +    else
> +      msg = "User #{User.current.username} doesn't have permission to
> #{operation} this #{self.class.table_name} #{strid}"
> +    end
> +
>        Rails.logger.warn msg
>        raise Errors::SecurityViolation, msg
>      end
>
> Mike

Also seeing this error:

https://bugzilla.redhat.com/show_bug.cgi?id=708494#c1

Mike
-- 
Mike McCune
mmccune AT redhat.com
Red Hat Engineering       | Portland, OR
Systems Management        | 650.254.4248

More information about the katello-devel mailing list