Yair Zaslavsky has uploaded a new change for review. Change subject: core: can't add user without system level admin permission ......................................................................
core: can't add user without system level admin permission This patch fixes a regression introduced at Ib62e1c051bc78b8a9ec0f32e6ba4eb9484242591 1. users manipulation is added to all current roles that have permissions manipulation 2. The check is done not on the system object but on the current object, and on its parents in the hierarchy. Change-Id: I308f9cc5edb53b9633d768fd3d382dc9cf62031c Bug-Url: https://bugzilla.redhat.com/1070651 Signed-off-by: Yair Zaslavsky <yzasl...@redhat.com> --- M backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java A packaging/dbscripts/upgrade/03_05_0070_add_missing_manipulate_users_permissions.sql 2 files changed, 36 insertions(+), 3 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/25/25225/1 diff --git a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java index f330c8f..0f6d91e 100644 --- a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java +++ b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/AddPermissionCommand.java @@ -193,9 +193,8 @@ // check if the logged in user has permissions to add another // user from the directory service if (getParameters().getUser() != null && dbUser == null) { - permissionsSubject.add(new PermissionSubject(MultiLevelAdministrationHandler.SYSTEM_OBJECT_ID, - VdcObjectType.System, - VdcActionType.AddUser.getActionGroup())); + permissionsSubject.add(new PermissionSubject(permission.getObjectId(), + permission.getObjectType(), VdcActionType.AddUser.getActionGroup())); } return permissionsSubject; } diff --git a/packaging/dbscripts/upgrade/03_05_0070_add_missing_manipulate_users_permissions.sql b/packaging/dbscripts/upgrade/03_05_0070_add_missing_manipulate_users_permissions.sql new file mode 100644 index 0000000..8ee6000 --- /dev/null +++ b/packaging/dbscripts/upgrade/03_05_0070_add_missing_manipulate_users_permissions.sql @@ -0,0 +1,34 @@ +Create or replace FUNCTION _temp_add_missing_manipulate_users_permissions() +RETURNS VOID + AS $procedure$ + DECLARE + v_CLUSTER_ADMIN_ID UUID; + v_DATA_CENTER_ADMIN_ID UUID; + v_TEMPLATE_OWNER_USER_ID UUID; + v_DISK_OPERATOR_USER_ID UUID; + v_VM_ADMIN_ID UUID; + v_USER_INSTANCE_MANAGER_ID UUID; + v_MANIPULATE_USERS INTEGER; +BEGIN + v_CLUSTER_ADMIN_ID := 'DEF00001-0000-0000-0000-DEF000000001'; + v_DATA_CENTER_ADMIN_ID := 'DEF00002-0000-0000-0000-DEF000000002'; + v_TEMPLATE_OWNER_USER_ID := 'DEF0000A-0000-0000-0000-DEF00000000F'; + v_DISK_OPERATOR_USER_ID := 'DEF0000A-0000-0000-0000-DEF00000000B'; + v_VM_ADMIN_ID := 'DEF00006-0000-0000-0000-DEF000000006'; + v_USER_INSTANCE_MANAGER_ID := 'DEF00012-0000-0000-0000-DEF000000012'; + v_MANIPULATE_USERS = 500; + PERFORM fn_db_add_action_group_to_role(v_CLUSTER_ADMIN_ID, v_MANIPULATE_USERS); + PERFORM fn_db_add_action_group_to_role(v_DATA_CENTER_ADMIN_ID, v_MANIPULATE_USERS); + PERFORM fn_db_add_action_group_to_role(v_TEMPLATE_OWNER_USER_ID, v_MANIPULATE_USERS); + PERFORM fn_db_add_action_group_to_role(v_DISK_OPERATOR_USER_ID, v_MANIPULATE_USERS); + PERFORM fn_db_add_action_group_to_role(v_VM_ADMIN_ID, v_MANIPULATE_USERS); + PERFORM fn_db_add_action_group_to_role(v_USER_INSTANCE_MANAGER_ID, v_MANIPULATE_USERS); + + RETURN; +END; $procedure$ +LANGUAGE plpgsql; + +SELECT _temp_add_missing_manipulate_users_permissions(); +drop function _temp_add_missing_manipulate_users_permissions(); + + -- To view, visit http://gerrit.ovirt.org/25225 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I308f9cc5edb53b9633d768fd3d382dc9cf62031c Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yair Zaslavsky <yzasl...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
