mgr/dashboard: Only list tasks that user is authorized to see
Currently all tasks are displayed, regardless of user permissions.
In the following example, user is only allowed to manage pool, but he can see an RBD task:
#2 Updated by Ricardo Dias over 1 year ago
To fix the bug described in this issue we need to dynamically verify the user permissions and filter the task list accordingly.
We already preform dynamic checks of user permissions in other controllers, such as in "controllers/summary.py" or in "controllers/dashboard.py".
Each task has always a name, usually of the form "component/action" (e.g., "rbd/create", "pool/delete"). We can use the component name, and action name, to decide which security scope and kind of permission to use for querying the user permissions. For instance, for the task with the "rbd/create" name we should only include it the tasks list if the condition "self._has_permissions(Permission.CREATE, Scope.RBD_IMAGE)" is true.
#4 Updated by Tina Kallio over 1 year ago
- File recent notifications.png View added
- Status changed from New to In Progress
- % Done changed from 0 to 80
Changes made to filter out task according to permission in task-list works.
However, if a user (regardless of permissions) log in to the same browser after another user, all events listed in "Recent notifications" from previous user are displayed. This includes but is not limited to finished tasks, see image. Note! This is not a problem when using a new browser.
Suggested to be treated seperatly, issue created: