Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

434 template paths permission check explorations #595

Merged
merged 11 commits into from
Mar 8, 2021
Merged

434 template paths permission check explorations #595

merged 11 commits into from
Mar 8, 2021

Conversation

mburri
Copy link
Member

@mburri mburri commented Mar 1, 2021
edited
Loading

With this pull request, the permission checks to save/ update a template for resources, resource types and resource (type) relations is completely pushed to the business module.

Template Paths are now validated and absolute paths and paths traversals are not allowed

@mburri mburri requested a review from yvespp March 1, 2021 15:30
@yvespp yvespp added this to the Version 1.17.23 milestone Mar 2, 2021
@yvespp
Copy link
Member

yvespp commented Mar 2, 2021

I tested this and works as expected, so I think we should go forward whit this.
Sometimes the code format is a bit odd, like here: https://github.com/liimaorg/liima/pull/595/files#diff-feed02a064a2d604d60b02b8b980888d34d72994ebf6353efd733c0b42ae8e77R152
But could only be a GitHub issue.

Maybe you could re add the removed tests on the business side?
Can you close #592 then?

@mburri mburri changed the base branch from 434-template-paths to master March 3, 2021 10:42
@mburri mburri mentioned this pull request Mar 3, 2021
Closed
@mburri
Copy link
Member Author

mburri commented Mar 4, 2021

@yvespp
I implemented the tests - and noticed that the permission checks where somehow flawed:
if the testing mode flag was set to true, and the user has Permission.SHAKEDOWN_TEST_MODE - it was still checking for Permission.RESOURCE_TEMPLATE with the proper action.

I changed that: for testing mode, only Permission.SHAKEDOWN_TEST_MODE is requested - is this correct? Or does the user still need Permission.RESOURCE_TEMPLATE or Permission.RESOURCETYPE_TEMPLATE when in testing mode?

@yvespp
Copy link
Member

yvespp commented Mar 8, 2021

@mburri I think only checking for SHAKEDOWN_TEST_MODE is ok.
SHAKEDOWN_TEST_MODE is a global permission so with the change a user can change shakedown templates on all resources instead of only the ones where he/she also can change templates. But I think that's fine because SHAKEDOWN_TEST_MODE is more of an admin permission and the shakedown functionality is hardly ever used an probably should be removed...

@yvespp yvespp merged commit d2f1add into master Mar 8, 2021
@yvespp yvespp deleted the 434-template-paths-permission-check-explorations branch March 8, 2021 13:04
@yvespp yvespp mentioned this pull request Mar 15, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yvespp yvespp yvespp approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 1.17.23
Development

Successfully merging this pull request may close these issues.
2 participants
@mburri @yvespp