Handling permissions: What's our approach?

While contemplating how to check permissions for the wizard that creates new job invocations, I was looking for some unified/established way that we have to approach the issue, but unfortunately, I couldn’t find one. It seems like Katello has its own method?

Regarding the new job wizard I mentioned earlier, I came up with a workaround solution (PR link) using a new API to fetch current user permissions (PR link).

I had some great conversations about this issue with some of my teammates (you can see some of these discussions in the first PR), which brought up several observations:

  • Permissions lack dependencies between each other: users can have the create_job_invocations permission without the view_job_templates one, which is needed to create a job. Should we automatically bundle necessary permissions together? Currently, users can end up with not fully compatible permissions.
  • Single permission checks per action: We only check for one permission per action, even though sometimes we need multiple. For example, action categories can be in the engine.rb permission block just once. If listed in multiple ones, having only one of those permissions is enough (not all of them).
  • Roles: Should we enforce using the predefined roles that have all the needed permissions?
  • React path issue and lack of react “access control” methods: some react#index paths lack the correct authorizations (e.g. display_link_if_authorized) unless the user is admin (e.g. match 'new/hosts/' => 'react#index', :via => :get, :as => :new_hosts_index_page). Should we add/assign the needed permissions for every page?

I’d love to hear your thoughts / solutions / ideas / issues. Does it even make sense? Your feedback is appreciated!


Here’s an example of how it’s implemented in Katello:

The basic flow is

  1. The API request sends include_permissions=true
  2. The API response includes a list of permissions the current user has
  3. On the React page, we look at multiple permissions and only show actions if the user has all of the required permissions.

Good point about the React path issue; there probably should be a Redmine for that.

I feel like Katello’s approach above works fine for handling multiple permissions in the UI. Permission dependencies can also be handled, simply by adding them to the list of required permissions. On the backend, our permission system with the roles/filters/permissions structure is already pretty mature and mostly works well.

1 Like

Do you still show some skeleton page if the user has none of the necessary permissions?

We hide the entire tab. https://github.com/Katello/katello/blob/e5fccf9afddcece4205fc9069c24f609c0e5c686/webpack/components/extensions/HostDetails/Tabs/RepositorySetsTab/RepositorySetsTab.js#L78

Or, where appropriate, we hide only certain page elements: