Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #37014 - set correct Host owner during registration #9970

Closed
wants to merge 1 commit into from
Closed

Fixes #37014 - set correct Host owner during registration #9970

wants to merge 1 commit into from

Conversation

nofaralfasi
Copy link
Contributor

Add the owner_id parameter to the Host registration command.

ekohl
ekohl reviewed Dec 29, 2023
View reviewed changes
Copy link
Member

@ekohl ekohl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't you check for the permission to imitate the specified user?

app/controllers/concerns/foreman/controller/registration.rb
Comment on lines 26 to 27
organization: (organization || User.current.default_organization || User.current.my_organizations.first),
location: (location || User.current.default_location || User.current.my_locations.first),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Shouldn't this be applied to user instead of User.current now?

@nofaralfasi
Fixes #37014 - set correct Host owner during registration
6a220c0 
Add the `owner_id` parameter to the Host registration command.
@stejskalleos
Copy link
Contributor

Is this change safe? Do we want to allow anyone to alter the owner ID through the API?
To me, it looks like the owner is derived from the facts, from a subscription manager.

How about setting @host.owner = User.current directly in the prepare_host method?
Plus in the method override the method in the katello?

@stejskalleos stejskalleos self-assigned this Jan 9, 2024
@nofaralfasi
Copy link
Contributor Author

Is this change safe? Do we want to allow anyone to alter the owner ID through the API? To me, it looks like the owner is derived from the facts, from a subscription manager.

How is this allowed? If a user has permission to generate the registration command, they should also have permission to set the owner ID as part of it.

How about setting @host.owner = User.current directly in the prepare_host method? Plus in the method override the method in the katello?

How would that solve the issue? User.current is not the user who generated the registration command.

@nofaralfasi
Copy link
Contributor Author

I've noticed that the generated curl command doesn't include the owner_id parameter. If we determine that this is the correct approach, I'll address that.

@stejskalleos
Copy link
Contributor

If a user has permission to generate the registration command, they should also have permission to set the owner ID as part of it.

Are they? I mean, we don't state that anywhere.

How would that solve the issue? User.current is not the user who generated the registration command.

How come? We authenticate by the AUTH_TOKEN, Personal Access token, or by login/password.
So the User.current is the person who generated the token.

@nofaralfasi
Copy link
Contributor Author

If a user has permission to generate the registration command, they should also have permission to set the owner ID as part of it.

Are they? I mean, we don't state that anywhere.

A user who has permissions to generate the registration command and view users should also have permission to set the owner_id, right?
In this case, you are right - the authorization I added here doesn't work since it checks if the permission exists on the current user and not on the owner_id user. We can fix that by checking if the owner user has the view_users permission.

How would that solve the issue? User.current is not the user who generated the registration command.

How come? We authenticate by the AUTH_TOKEN, Personal Access token, or by login/password. So the User.current is the person who generated the token.

On downstream, the current user is the Anonymous Admin. TBH, I'm not sure how it works. If you think that should be fixed, I will look into it.

@stejskalleos
Copy link
Contributor

On downstream, the current user is the Anonymous Admin. TBH, I'm not sure how it works. If you think that should be fixed, I will look into it.

My guess is that it's coming from the Katello and the import of the host from the subman's facts. But I wasn't able to find it where exactly it's happening.

But from my testing, adding @host.owner = User.current to the https://github.com/Katello/katello/blob/master/app/controllers/katello/concerns/api/v2/registration_controller_extensions.rb#L13 fixed the ownership problem

@nofaralfasi
Copy link
Contributor Author

On downstream, the current user is the Anonymous Admin. TBH, I'm not sure how it works. If you think that should be fixed, I will look into it.

My guess is that it's coming from the Katello and the import of the host from the subman's facts. But I wasn't able to find it where exactly it's happening.

But from my testing, adding @host.owner = User.current to the https://github.com/Katello/katello/blob/master/app/controllers/katello/concerns/api/v2/registration_controller_extensions.rb#L13 fixed the ownership problem

You are right. Fixed the issue for me as well. Thanks for the help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekohl ekohl ekohl left review comments

Assignees

@stejskalleos stejskalleos

Labels
Not yet reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@nofaralfasi @stejskalleos @ekohl