Handling permissions: What's our approach?

Kaja_Malyjurkova · February 13, 2024, 2:34pm

Hello,
While contemplating how to check permissions for the wizard that creates new job invocations, I was looking for some unified/established way that we have to approach the issue, but unfortunately, I couldn’t find one. It seems like Katello has its own method?

Regarding the new job wizard I mentioned earlier, I came up with a workaround solution (PR link) using a new API to fetch current user permissions (PR link).

I had some great conversations about this issue with some of my teammates (you can see some of these discussions in the first PR), which brought up several observations:

Permissions lack dependencies between each other: users can have the create_job_invocations permission without the view_job_templates one, which is needed to create a job. Should we automatically bundle necessary permissions together? Currently, users can end up with not fully compatible permissions.
Single permission checks per action: We only check for one permission per action, even though sometimes we need multiple. For example, action categories can be in the engine.rb permission block just once. If listed in multiple ones, having only one of those permissions is enough (not all of them).
Roles: Should we enforce using the predefined roles that have all the needed permissions?
React path issue and lack of react “access control” methods: some react#index paths lack the correct authorizations (e.g. display_link_if_authorized) unless the user is admin (e.g. match 'new/hosts/' => 'react#index', :via => :get, :as => :new_hosts_index_page). Should we add/assign the needed permissions for every page?

I’d love to hear your thoughts / solutions / ideas / issues. Does it even make sense? Your feedback is appreciated!

jeremylenz · February 13, 2024, 2:46pm

Here’s an example of how it’s implemented in Katello:

github.com

Katello/katello/blob/e5fccf9afddcece4205fc9069c24f609c0e5c686/webpack/components/extensions/HostDetails/Tabs/RepositorySetsTab/RepositorySetsTab.js#L74


      
          import './RepositorySetsTab.scss';
          import SortableColumnHeaders from '../../../../Table/components/SortableColumnHeaders';
          import SelectableDropdown from '../../../../SelectableDropdown';
          import {
            hasRequiredPermissions as can,
            missingRequiredPermissions as cannot,
            userPermissionsFromHostDetails,
          } from '../../hostDetailsHelpers';
          
          const viewRepoSets = [
            'view_hosts', 'view_activation_keys', 'view_products',
          ];
          const createBookmarks = ['create_bookmarks'];
          
          export const hideRepoSetsTab = ({ hostDetails }) =>
            cannot(
              viewRepoSets,
              userPermissionsFromHostDetails({ hostDetails }),
            );
          
          const editHosts = ['edit_hosts'];

The basic flow is

The API request sends include_permissions=true
The API response includes a list of permissions the current user has
On the React page, we look at multiple permissions and only show actions if the user has all of the required permissions.

Good point about the React path issue; there probably should be a Redmine for that.

I feel like Katello’s approach above works fine for handling multiple permissions in the UI. Permission dependencies can also be handled, simply by adding them to the list of required permissions. On the backend, our permission system with the roles/filters/permissions structure is already pretty mature and mostly works well.

aruzicka · February 13, 2024, 3:58pm

Do you still show some skeleton page if the user has none of the necessary permissions?

jeremylenz · February 13, 2024, 4:00pm

We hide the entire tab. https://github.com/Katello/katello/blob/e5fccf9afddcece4205fc9069c24f609c0e5c686/webpack/components/extensions/HostDetails/Tabs/RepositorySetsTab/RepositorySetsTab.js#L78

Or, where appropriate, we hide only certain page elements:

github.com

Katello/katello/blob/e5fccf9afddcece4205fc9069c24f609c0e5c686/webpack/components/extensions/HostDetails/Tabs/RepositorySetsTab/RepositorySetsTab.js#L484


      
                  title={REPO_TYPE_LABEL}
                  showTitle={false}
                  items={Object.values(PROVIDER_TYPES)}
                  selected={repoTypeSelected}
                  setSelected={handleRepoTypeSelected}
                />
              </SplitItem>
            </Split>
          );
          
          const actionButtons = canDoContentOverrides ? (
            <Split hasGutter>
              <SplitItem>
                <ActionList isIconList>
                  <ActionListItem>
                    <Dropdown
                      toggle={<KebabToggle aria-label="bulk_actions" onToggle={toggleBulkAction} />}
                      isOpen={isBulkActionOpen}
                      isPlain
                      dropdownItems={dropdownItems}
                      ouiaId="repository-sets-bulk-actions"