Bug #25094
closedmgr/dashboard: Only list tasks that user is authorized to see
100%
Description
Currently all tasks are displayed, regardless of user permissions.
In the following example, user is only allowed to manage pool, but he can see an RBD task:
Files
Updated by Ricardo Marques over 5 years ago
- Related to Bug #36328: Roles: issues added
Updated by Ricardo Dias over 5 years ago
To fix the bug described in this issue we need to dynamically verify the user permissions and filter the task list accordingly.
We already preform dynamic checks of user permissions in other controllers, such as in "controllers/summary.py" or in "controllers/dashboard.py".
Each task has always a name, usually of the form "component/action" (e.g., "rbd/create", "pool/delete"). We can use the component name, and action name, to decide which security scope and kind of permission to use for querying the user permissions. For instance, for the task with the "rbd/create" name we should only include it the tasks list if the condition "self._has_permissions(Permission.CREATE, Scope.RBD_IMAGE)" is true.
Updated by Tina Kallio over 5 years ago
- File recent notifications.png recent notifications.png added
- Status changed from New to In Progress
- % Done changed from 0 to 80
Changes made to filter out task according to permission in task-list works.
However, if a user (regardless of permissions) log in to the same browser after another user, all events listed in "Recent notifications" from previous user are displayed. This includes but is not limited to finished tasks, see image. Note! This is not a problem when using a new browser.
Suggested to be treated seperatly, issue created:
Updated by Tina Kallio over 5 years ago
- Status changed from In Progress to Fix Under Review
Updated by Lenz Grimmer over 5 years ago
- Status changed from Fix Under Review to Resolved
- Target version set to v14.0.0
Updated by Ernesto Puerta about 3 years ago
- Project changed from mgr to Dashboard
- Category changed from 132 to General