Bug #25094
closed
mgr/dashboard: Only list tasks that user is authorized to see
Added by Ricardo Marques almost 6 years ago.
Updated about 3 years ago.
Description
Currently all tasks are displayed, regardless of user permissions.
In the following example, user is only allowed to manage pool, but he can see an RBD task:
Files
To fix the bug described in this issue we need to dynamically verify the user permissions and filter the task list accordingly.
We already preform dynamic checks of user permissions in other controllers, such as in "controllers/summary.py" or in "controllers/dashboard.py".
Each task has always a name, usually of the form "component/action" (e.g., "rbd/create", "pool/delete"). We can use the component name, and action name, to decide which security scope and kind of permission to use for querying the user permissions. For instance, for the task with the "rbd/create" name we should only include it the tasks list if the condition "self._has_permissions(Permission.CREATE, Scope.RBD_IMAGE)" is true.
- Assignee set to Tina Kallio
Changes made to filter out task according to permission in task-list works.
However, if a user (regardless of permissions) log in to the same browser after another user, all events listed in "Recent notifications" from previous user are displayed. This includes but is not limited to finished tasks, see image. Note! This is not a problem when using a new browser.
Suggested to be treated seperatly, issue created:
https://tracker.ceph.com/issues/37379
- Status changed from In Progress to Fix Under Review
- Pull request ID set to 25426
- Status changed from Fix Under Review to Resolved
- Target version set to v14.0.0
- % Done changed from 80 to 100
- Project changed from mgr to Dashboard
- Category changed from 132 to General
Also available in: Atom
PDF