[Ovirt-devel] [PATCH] add permissions checks to search results.

Scott Seago sseago at redhat.com
Wed Aug 6 17:45:26 UTC 2008 

To do so, I've enabled term-based parameters to each of the searchable types. At the query level, appending search_users:foo limits results to items viewable by user foo. This involved:

1) added :terms parameter to acts_as_xapian declaration for the method search_users
2) added search_users method to searchable models which return an array of usernames that have 'monitor' access
3) modified the acts_as_xapian plugin to handle prefix searches for which the object provides multiple values (since we have multiple users with access to each object) -- this is a change which may be suitable for upstream inclusion
4) When performing the search, search for "(#{terms}) AND search_users:#{user}" instead of simply searching for terms.

This patch is dependant on the prior search denormalization patch.

Signed-off-by: Scott Seago <sseago at redhat.com>
---
 wui/src/app/controllers/hardware_controller.rb     |    1 +
 wui/src/app/controllers/search_controller.rb       |   16 ++++++++++------
 wui/src/app/models/host.rb                         |    8 +++++++-
 wui/src/app/models/pool.rb                         |    8 +++++++-
 wui/src/app/models/storage_pool.rb                 |    6 +++++-
 wui/src/app/models/vm.rb                           |    8 +++++++-
 .../plugins/acts_as_xapian/lib/acts_as_xapian.rb   |    6 +++++-
 7 files changed, 42 insertions(+), 11 deletions(-)

diff --git a/wui/src/app/controllers/hardware_controller.rb b/wui/src/app/controllers/hardware_controller.rb
index 5f473db..019fdd8 100644
--- a/wui/src/app/controllers/hardware_controller.rb
+++ b/wui/src/app/controllers/hardware_controller.rb
@@ -110,6 +110,7 @@ class HardwareController < ApplicationController
     unless @can_view
       flash[:notice] = 'You do not have permission to view this Hardware Pool: redirecting to top level'
       redirect_to :action => 'list'
+      return
     end
     render :layout => 'selection'    
   end
diff --git a/wui/src/app/controllers/search_controller.rb b/wui/src/app/controllers/search_controller.rb
index ca4fbb1..cc7e527 100644
--- a/wui/src/app/controllers/search_controller.rb
+++ b/wui/src/app/controllers/search_controller.rb
@@ -56,6 +56,11 @@ class SearchController < ApplicationController
       @models ||= [@model_param]
     end
     @user = get_login_user
+    #filter terms on permissions
+    filtered_terms = "search_users:#{@user}"
+    if @terms and !@terms.empty?
+      filtered_terms = "(#{@terms}) AND #{filtered_terms}"
+    end
 
     @page = params[:page].to_i
     @page ||= 1
@@ -63,12 +68,11 @@ class SearchController < ApplicationController
     @per_page ||= 20
     @offset = (@page-1)*@per_page
     @results = ActsAsXapian::Search.new(@models,
-                                        @terms,
-                                       :offset => @offset,
-                                       :limit => @per_page,
-                                       :sort_by_prefix => nil,
-                                       :collapse_by_prefix => nil)
-    #FIXME filter on permissions
+                                        filtered_terms,
+                                        :offset => @offset,
+                                        :limit => @per_page,
+                                        :sort_by_prefix => nil,
+                                        :collapse_by_prefix => nil)
   end
 
   def results
diff --git a/wui/src/app/models/host.rb b/wui/src/app/models/host.rb
index fc3b236..5b32653 100644
--- a/wui/src/app/models/host.rb
+++ b/wui/src/app/models/host.rb
@@ -43,7 +43,8 @@ class Host < ActiveRecord::Base
   acts_as_xapian :texts => [ :hostname, :uuid, :hypervisor_type, :arch ],
                  :values => [ [ :created_at, 0, "created_at", :date ],
                               [ :updated_at, 1, "updated_at", :date ] ],
-                 :terms => [ [ :hostname, 'H', "hostname" ] ]
+                 :terms => [ [ :hostname, 'H', "hostname" ],
+                             [ :search_users, 'U', "search_users" ] ]
 
 
   KVM_HYPERVISOR_TYPE = "KVM"
@@ -88,4 +89,9 @@ class Host < ActiveRecord::Base
   def display_class
     "Host"
   end
+
+  def search_users
+    hardware_pool.search_users
+  end
+
 end
diff --git a/wui/src/app/models/pool.rb b/wui/src/app/models/pool.rb
index 1870027..6599c72 100644
--- a/wui/src/app/models/pool.rb
+++ b/wui/src/app/models/pool.rb
@@ -85,7 +85,8 @@ class Pool < ActiveRecord::Base
     end
   end
 
-  acts_as_xapian :texts => [ :name ]
+  acts_as_xapian :texts => [ :name ],
+                 :terms => [ [ :search_users, 'U', "search_users" ] ]
 
   # this method lists pools with direct permission grants, but by default does
   #  not include implied permissions (i.e. subtrees)
@@ -246,6 +247,11 @@ class Pool < ActiveRecord::Base
   def display_class
     get_type_label
   end
+
+  def search_users
+    permissions.collect {|perm| perm.uid}
+  end
+
   protected
   def traverse_parents
     if id
diff --git a/wui/src/app/models/storage_pool.rb b/wui/src/app/models/storage_pool.rb
index 3e3f58f..460b49d 100644
--- a/wui/src/app/models/storage_pool.rb
+++ b/wui/src/app/models/storage_pool.rb
@@ -32,7 +32,8 @@ class StoragePool < ActiveRecord::Base
 
   validates_presence_of :ip_addr, :hardware_pool_id
 
-  acts_as_xapian :texts => [ :ip_addr, :target, :export_path, :type ]
+  acts_as_xapian :texts => [ :ip_addr, :target, :export_path, :type ],
+                 :terms => [ [ :search_users, 'U', "search_users" ] ]
   ISCSI = "iSCSI"
   NFS   = "NFS"
   STORAGE_TYPES = { ISCSI => "Iscsi",
@@ -60,4 +61,7 @@ class StoragePool < ActiveRecord::Base
     "Storage Pool"
   end
 
+  def search_users
+    hardware_pool.search_users
+  end
 end
diff --git a/wui/src/app/models/vm.rb b/wui/src/app/models/vm.rb
index 34d5bf4..9ac24d9 100644
--- a/wui/src/app/models/vm.rb
+++ b/wui/src/app/models/vm.rb
@@ -31,7 +31,8 @@ class Vm < ActiveRecord::Base
   validates_presence_of :uuid, :description, :num_vcpus_allocated,
                         :memory_allocated_in_mb, :memory_allocated, :vnic_mac_addr
 
-  acts_as_xapian :texts => [ :uuid, :description, :vnic_mac_addr, :state ]
+  acts_as_xapian :texts => [ :uuid, :description, :vnic_mac_addr, :state ],
+                 :terms => [ [ :search_users, 'U', "search_users" ] ]
 
   BOOT_DEV_HD          = "hd"
   BOOT_DEV_NETWORK     = "network"
@@ -193,6 +194,11 @@ class Vm < ActiveRecord::Base
   def display_class
     "VM"
   end
+
+  def search_users
+    vm_resource_pool.search_users
+  end
+
   protected
   def validate
     resources = vm_resource_pool.max_resources_for_vm(self)
diff --git a/wui/src/vendor/plugins/acts_as_xapian/lib/acts_as_xapian.rb b/wui/src/vendor/plugins/acts_as_xapian/lib/acts_as_xapian.rb
index eda0b1b..566fe82 100644
--- a/wui/src/vendor/plugins/acts_as_xapian/lib/acts_as_xapian.rb
+++ b/wui/src/vendor/plugins/acts_as_xapian/lib/acts_as_xapian.rb
@@ -523,6 +523,8 @@ module ActsAsXapian
                 value.utc.strftime("%Y%m%d")
             elsif type == :boolean
                 value ? true : false
+            elsif type == :array
+                (value.class == Array) ? value.collect {|x| x.to_s} : value.to_s
             else
                 value.to_s
             end
@@ -549,7 +551,9 @@ module ActsAsXapian
             doc.add_term("I" + doc.data)
             if self.xapian_options[:terms]
               for term in self.xapian_options[:terms]
-                  doc.add_term(term[1] + xapian_value(term[0]))
+                  xapian_value(term[0], :array).each do |val|
+                    doc.add_term(term[1] + val)
+                  end
               end
             end
             if self.xapian_options[:values]
-- 
1.5.5.1

More information about the ovirt-devel mailing list