[katello-devel] Permissions review - authorized filter in UI controllers
Lukas Zapletal
lzap at redhat.com
Mon Jan 16 11:33:38 UTC 2012
Hello,
during my permissions API review and implementation this sprint I was
also looking in the UI controller code and I have found there is the
following construct in many places:
skip_before_filter :authorize #load the environment
before_filter :find_environment
before_filter :authorize
The skip_before_filter call is not needed in this case, so I have
removed it from all UI controllers. I did this because now we can track
skip_before_filter lines with grep:
If you do
git grep "skip_before_filter :authorize"
you will find the following UI controllers that has (for some reason)
disabled authorize call.
app/controllers/accounts_controller.rb
app/controllers/dashboard_controller.rb
app/controllers/errata_controller.rb
app/controllers/errors_controller.rb
app/controllers/notices_controller.rb
When I was sure it is our intention I commented it to see those lines
with grep:
skip_before_filter :authorize # ok - is used by warden
On top of that the following controllers either do not have rules
implemented or do not have authorize filter enabled:
packages_controller.rb
distributions_controller.rb
errata_controller.rb
templates_content_controller.rb (authorize filter call is missing)
The list is not complete. I am creating a new BZ for UI permissions
review. It's target is to comment all skip_before_filter :authorize
lines where appropriate, remove the rest and add rules to all
controllers.
https://bugzilla.redhat.com/show_bug.cgi?id=782022
ps - please ignore few ./api controllers which I am still working on -
those are mainly proxy controllers
--
Later,
Lukas Zapletal | E32E400A
RHN Satellite Engineering
Red Hat Czech s.r.o. Brno
More information about the katello-devel
mailing list