Hi all,
This patch adds permission-checking for Deployable controller actions per #1223. I also updated seeds.rb with some additional permissions; otherwise, no one would have access to manage deployables. It would be terrific if someone with a solid understanding of permissions could review this patch.
I added a new cucumber feature because the existing "Manage Deployables" feature has a "Given I am an authorised user" background which runs tests as an Administrator would see them. This one runs as a new self-service user.
-- Matt
Also introduces basic cucumber tests for Deployables permissions and updates seeds.rb with new permissions. --- .../image_factory/deployables_controller.rb | 8 +++ src/db/seeds.rb | 7 +++ src/features/deployable_permissions.feature | 47 ++++++++++++++++++++ src/features/step_definitions/authentication.rb | 15 ++++++ 4 files changed, 77 insertions(+), 0 deletions(-) create mode 100644 src/features/deployable_permissions.feature
diff --git a/src/app/controllers/image_factory/deployables_controller.rb b/src/app/controllers/image_factory/deployables_controller.rb index 05e9596..80270b3 100644 --- a/src/app/controllers/image_factory/deployables_controller.rb +++ b/src/app/controllers/image_factory/deployables_controller.rb @@ -8,6 +8,7 @@ class ImageFactory::DeployablesController < ApplicationController
def show @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::VIEW, @deployable) @url_params = params.clone @tab_captions = ['Properties', 'Assemblies'] @details_tab = params[:details_tab].blank? ? 'properties' : params[:details_tab] @@ -23,10 +24,12 @@ class ImageFactory::DeployablesController < ApplicationController end
def new + require_privilege(Privilege::CREATE, Deployable) @deployable = Deployable.new end
def create + require_privilege(Privilege::CREATE, Deployable) @deployable = Deployable.new(params[:deployable]) if @deployable.save flash[:notice] = "Deployable added." @@ -38,10 +41,12 @@ class ImageFactory::DeployablesController < ApplicationController
def edit @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) end
def update @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) if @deployable.update_attributes(params[:deployable]) flash[:notice] = "Deployable updated." redirect_to image_factory_deployable_url(@deployable) @@ -72,6 +77,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def pick_assemblies + require_privilege(Privilege::MODIFY, @deployable) @assemblies = Assembly.all - @deployable.assemblies respond_to do |format| format.js { render :partial => 'pick_assemblies' } @@ -80,6 +86,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def add_assemblies + require_privilege(Privilege::MODIFY, @deployable) if assemblies = params.delete(:assemblies_selected) @deployable.assembly_ids += assemblies.collect{|a| a.to_i} @deployable.save! @@ -92,6 +99,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def remove_assemblies + require_privilege(Privilege::MODIFY, @deployable) if params[:assemblies_selected].present? @deployable.assembly_ids = @deployable.assembly_ids - params[:assemblies_selected].collect{|a| a.to_i} @deployable.save! diff --git a/src/db/seeds.rb b/src/db/seeds.rb index 7ef7c37..3f44698 100644 --- a/src/db/seeds.rb +++ b/src/db/seeds.rb @@ -1,3 +1,6 @@ + + + # Default Pool Family PoolFamily.create!(:name => "default", :description => "default pool family", :quota => Quota.create)
@@ -44,6 +47,9 @@ roles = Template => {"Template User" => [false, {Template => [VIEW,USE]}], "Template Owner" => [true, {Template => [VIEW,USE,MOD, VPRM,GPRM]}]}, + Deployable => + {"Deployable User" => [false, {Deployable => [VIEW,USE]}], + "Deployable Owner" => [true, {Deployable => [VIEW,USE,MOD,VPRM,GPRM]}]}, BasePermissionObject => {"Provider Creator" => [false, {Provider => [ CRE]}], "Provider Administrator" => [false, {Provider => [VIEW, MOD,CRE,VPRM,GPRM], @@ -69,6 +75,7 @@ roles = Quota => [VIEW, MOD], PoolFamily => [VIEW, MOD,CRE,VPRM,GPRM], Template => [VIEW,USE,MOD,CRE,VPRM,GPRM], + Deployable => [VIEW,USE,MOD,CRE,VPRM,GPRM], BasePermissionObject => [ MOD, VPRM,GPRM]}]}} Role.transaction do roles.each do |role_scope, scoped_hash| diff --git a/src/features/deployable_permissions.feature b/src/features/deployable_permissions.feature new file mode 100644 index 0000000..be26972 --- /dev/null +++ b/src/features/deployable_permissions.feature @@ -0,0 +1,47 @@ +Feature: Manage Deployables as a non-admin + In order to manage my cloud infrastructure + As an unprivileged user + I want to manage deployables that I have permission to use + + Background: + Given I am a new user + + Scenario: List deployables as a new user + Given I am on the homepage + And there is a deployable named "MySQL cluster" + When I go to the image factory deployables page + Then I should see "MySQL cluster" + + Scenario: View a deployable as a new user + Given there is a deployable named "MySQL cluster" + And I am on the image factory deployables page + When I follow "MySQL cluster" + Then I should see "Edit" + + @allow-rescue + Scenario: Try to edit a deployable as a new user + Given there is a deployable named "Apache Webserver" + And I am on the image factory deployables page + When I follow "Apache Webserver" + And I follow "Edit" + Then I should see "You have insufficient privileges to perform action." + + @allow-rescue + Scenario: Try to create a deployable as a new user + Given there is a deployable named "Solr Server" + And I am on the image factory deployables page + When I follow "Create" + Then I should see "You have insufficient privileges to perform action." + + @allow-rescue + Scenario: Try to remove an assembly as a new user + Given there is a deployable named "Mailserver Cluster" + Given there is an assembly named "Postfix Node" belonging to "Mailserver Cluster" + And I am on the image factory deployables page + Then I should see "Mailserver Cluster" + When I follow "Mailserver Cluster" + And I follow "details_Assemblies" + Then I should see "Postfix Node" + When I check the "Postfix Node" assembly + And I press "Remove Selected" + Then I should see "You have insufficient privileges to perform action." diff --git a/src/features/step_definitions/authentication.rb b/src/features/step_definitions/authentication.rb index e7a84bd..4a13be0 100644 --- a/src/features/step_definitions/authentication.rb +++ b/src/features/step_definitions/authentication.rb @@ -10,6 +10,17 @@ def login(login, password) click_button "Login" end
+def signup + visit path_to("the new account page") + fill_in "Choose a username", :with => 'newuser' + fill_in "Choose a password", :with => 'password' + fill_in "Confirm password", :with => 'password' + fill_in "First name", :with => 'Unprivileged' + fill_in "Last name", :with => "User" + fill_in "E-mail", :with => "testuser@example.com" + click_button "Save" +end + Given /^I am a registered user$/ do user end @@ -18,6 +29,10 @@ When /^I login$/ do login(user.login, user.password) end
+Given /^I am a new user$/ do + signup +end + Given /^I am logged in$/ do login(user.login, user.password) UserSession.find.should_not == nil
Here is the patch rebased on next so it applies cleanly again.
-- Matt
Also introduces basic cucumber tests for Deployables permissions and updates seeds.rb with new permissions.
Signed-off-by: Matt Wagner matt.wagner@redhat.com --- .../image_factory/deployables_controller.rb | 8 +++ src/db/seeds.rb | 7 +++ src/features/deployable_permissions.feature | 47 ++++++++++++++++++++ src/features/step_definitions/authentication.rb | 15 ++++++ 4 files changed, 77 insertions(+), 0 deletions(-) create mode 100644 src/features/deployable_permissions.feature
diff --git a/src/app/controllers/image_factory/deployables_controller.rb b/src/app/controllers/image_factory/deployables_controller.rb index 0ffa33e..8bb23a8 100644 --- a/src/app/controllers/image_factory/deployables_controller.rb +++ b/src/app/controllers/image_factory/deployables_controller.rb @@ -15,6 +15,7 @@ class ImageFactory::DeployablesController < ApplicationController
def show @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::VIEW, @deployable) @url_params = params.clone @tab_captions = ['Properties', 'Assemblies', 'Deployments'] @details_tab = params[:details_tab].blank? ? 'properties' : params[:details_tab] @@ -33,10 +34,12 @@ class ImageFactory::DeployablesController < ApplicationController end
def new + require_privilege(Privilege::CREATE, Deployable) @deployable = Deployable.new end
def create + require_privilege(Privilege::CREATE, Deployable) @deployable = Deployable.new(params[:deployable]) if @deployable.save flash[:notice] = "Deployable added." @@ -48,10 +51,12 @@ class ImageFactory::DeployablesController < ApplicationController
def edit @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) end
def update @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) if @deployable.update_attributes(params[:deployable]) flash[:notice] = "Deployable updated." redirect_to image_factory_deployable_url(@deployable) @@ -82,6 +87,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def pick_assemblies + require_privilege(Privilege::MODIFY, @deployable) @assemblies = Assembly.all - @deployable.assemblies respond_to do |format| format.js { render :partial => 'pick_assemblies' } @@ -90,6 +96,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def add_assemblies + require_privilege(Privilege::MODIFY, @deployable) if assemblies = params.delete(:assemblies_selected) @deployable.assembly_ids += assemblies.collect{|a| a.to_i} @deployable.save! @@ -102,6 +109,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def remove_assemblies + require_privilege(Privilege::MODIFY, @deployable) if params[:assemblies_selected].present? @deployable.assembly_ids = @deployable.assembly_ids - params[:assemblies_selected].collect{|a| a.to_i} @deployable.save! diff --git a/src/db/seeds.rb b/src/db/seeds.rb index 7ef7c37..3f44698 100644 --- a/src/db/seeds.rb +++ b/src/db/seeds.rb @@ -1,3 +1,6 @@ + + + # Default Pool Family PoolFamily.create!(:name => "default", :description => "default pool family", :quota => Quota.create)
@@ -44,6 +47,9 @@ roles = Template => {"Template User" => [false, {Template => [VIEW,USE]}], "Template Owner" => [true, {Template => [VIEW,USE,MOD, VPRM,GPRM]}]}, + Deployable => + {"Deployable User" => [false, {Deployable => [VIEW,USE]}], + "Deployable Owner" => [true, {Deployable => [VIEW,USE,MOD,VPRM,GPRM]}]}, BasePermissionObject => {"Provider Creator" => [false, {Provider => [ CRE]}], "Provider Administrator" => [false, {Provider => [VIEW, MOD,CRE,VPRM,GPRM], @@ -69,6 +75,7 @@ roles = Quota => [VIEW, MOD], PoolFamily => [VIEW, MOD,CRE,VPRM,GPRM], Template => [VIEW,USE,MOD,CRE,VPRM,GPRM], + Deployable => [VIEW,USE,MOD,CRE,VPRM,GPRM], BasePermissionObject => [ MOD, VPRM,GPRM]}]}} Role.transaction do roles.each do |role_scope, scoped_hash| diff --git a/src/features/deployable_permissions.feature b/src/features/deployable_permissions.feature new file mode 100644 index 0000000..be26972 --- /dev/null +++ b/src/features/deployable_permissions.feature @@ -0,0 +1,47 @@ +Feature: Manage Deployables as a non-admin + In order to manage my cloud infrastructure + As an unprivileged user + I want to manage deployables that I have permission to use + + Background: + Given I am a new user + + Scenario: List deployables as a new user + Given I am on the homepage + And there is a deployable named "MySQL cluster" + When I go to the image factory deployables page + Then I should see "MySQL cluster" + + Scenario: View a deployable as a new user + Given there is a deployable named "MySQL cluster" + And I am on the image factory deployables page + When I follow "MySQL cluster" + Then I should see "Edit" + + @allow-rescue + Scenario: Try to edit a deployable as a new user + Given there is a deployable named "Apache Webserver" + And I am on the image factory deployables page + When I follow "Apache Webserver" + And I follow "Edit" + Then I should see "You have insufficient privileges to perform action." + + @allow-rescue + Scenario: Try to create a deployable as a new user + Given there is a deployable named "Solr Server" + And I am on the image factory deployables page + When I follow "Create" + Then I should see "You have insufficient privileges to perform action." + + @allow-rescue + Scenario: Try to remove an assembly as a new user + Given there is a deployable named "Mailserver Cluster" + Given there is an assembly named "Postfix Node" belonging to "Mailserver Cluster" + And I am on the image factory deployables page + Then I should see "Mailserver Cluster" + When I follow "Mailserver Cluster" + And I follow "details_Assemblies" + Then I should see "Postfix Node" + When I check the "Postfix Node" assembly + And I press "Remove Selected" + Then I should see "You have insufficient privileges to perform action." diff --git a/src/features/step_definitions/authentication.rb b/src/features/step_definitions/authentication.rb index e7a84bd..4a13be0 100644 --- a/src/features/step_definitions/authentication.rb +++ b/src/features/step_definitions/authentication.rb @@ -10,6 +10,17 @@ def login(login, password) click_button "Login" end
+def signup + visit path_to("the new account page") + fill_in "Choose a username", :with => 'newuser' + fill_in "Choose a password", :with => 'password' + fill_in "Confirm password", :with => 'password' + fill_in "First name", :with => 'Unprivileged' + fill_in "Last name", :with => "User" + fill_in "E-mail", :with => "testuser@example.com" + click_button "Save" +end + Given /^I am a registered user$/ do user end @@ -18,6 +29,10 @@ When /^I login$/ do login(user.login, user.password) end
+Given /^I am a new user$/ do + signup +end + Given /^I am logged in$/ do login(user.login, user.password) UserSession.find.should_not == nil
On 04/25/2011 03:30 PM, Matt Wagner wrote:
Also introduces basic cucumber tests for Deployables permissions and updates seeds.rb with new permissions.
Signed-off-by: Matt Wagnermatt.wagner@redhat.com
.../image_factory/deployables_controller.rb | 8 +++ src/db/seeds.rb | 7 +++ src/features/deployable_permissions.feature | 47 ++++++++++++++++++++ src/features/step_definitions/authentication.rb | 15 ++++++ 4 files changed, 77 insertions(+), 0 deletions(-) create mode 100644 src/features/deployable_permissions.feature
diff --git a/src/app/controllers/image_factory/deployables_controller.rb b/src/app/controllers/image_factory/deployables_controller.rb index 0ffa33e..8bb23a8 100644 --- a/src/app/controllers/image_factory/deployables_controller.rb +++ b/src/app/controllers/image_factory/deployables_controller.rb @@ -15,6 +15,7 @@ class ImageFactory::DeployablesController< ApplicationController
def show @deployable = Deployable.find(params[:id])
- require_privilege(Privilege::VIEW, @deployable) @url_params = params.clone @tab_captions = ['Properties', 'Assemblies', 'Deployments'] @details_tab = params[:details_tab].blank? ? 'properties' : params[:details_tab]
@@ -33,10 +34,12 @@ class ImageFactory::DeployablesController< ApplicationController end
def new
- require_privilege(Privilege::CREATE, Deployable)
See comment below for explanation, but this should be Template rather than Deployable.
@deployable = Deployable.new end def create
- require_privilege(Privilege::CREATE, Deployable)
See comment below for explanation, but this should be Template rather than Deployable.
@deployable = Deployable.new(params[:deployable]) if @deployable.save flash[:notice] = "Deployable added."
@@ -48,10 +51,12 @@ class ImageFactory::DeployablesController< ApplicationController
def edit @deployable = Deployable.find(params[:id])
require_privilege(Privilege::MODIFY, @deployable) end
def update @deployable = Deployable.find(params[:id])
require_privilege(Privilege::MODIFY, @deployable) if @deployable.update_attributes(params[:deployable]) flash[:notice] = "Deployable updated." redirect_to image_factory_deployable_url(@deployable)
@@ -82,6 +87,7 @@ class ImageFactory::DeployablesController< ApplicationController end
def pick_assemblies
- require_privilege(Privilege::MODIFY, @deployable) @assemblies = Assembly.all - @deployable.assemblies respond_to do |format| format.js { render :partial => 'pick_assemblies' }
@@ -90,6 +96,7 @@ class ImageFactory::DeployablesController< ApplicationController end
def add_assemblies
- require_privilege(Privilege::MODIFY, @deployable) if assemblies = params.delete(:assemblies_selected) @deployable.assembly_ids += assemblies.collect{|a| a.to_i} @deployable.save!
@@ -102,6 +109,7 @@ class ImageFactory::DeployablesController< ApplicationController end
def remove_assemblies
- require_privilege(Privilege::MODIFY, @deployable) if params[:assemblies_selected].present? @deployable.assembly_ids = @deployable.assembly_ids - params[:assemblies_selected].collect{|a| a.to_i} @deployable.save!
diff --git a/src/db/seeds.rb b/src/db/seeds.rb index 7ef7c37..3f44698 100644 --- a/src/db/seeds.rb +++ b/src/db/seeds.rb @@ -1,3 +1,6 @@
- # Default Pool Family PoolFamily.create!(:name => "default", :description => "default pool family", :quota => Quota.create)
@@ -44,6 +47,9 @@ roles = Template => {"Template User" => [false, {Template => [VIEW,USE]}], "Template Owner" => [true, {Template => [VIEW,USE,MOD, VPRM,GPRM]}]},
- Deployable =>
{"Deployable User" => [false, {Deployable => [VIEW,USE]}],
"Deployable Owner" => [true, {Deployable => [VIEW,USE,MOD,VPRM,GPRM]}]},
Actually, we don't want to do it this way -- I had intended to use the same permission role/grant types across the Image Factory types -- Deployable/Assembly/Template/Image, since we had anticipated the same users would be manipulating images, deployables, etc. While Provider, Instance, and Template all have separately-identified roles, my intention was that "Template User" will allow someone to use a template (add it to assembly), an assembly (add it to deployable), or a deployable (launch it), and that "Template Owner" would allow view, edit, modify, etc on the identified object -- which can be a template, a deployable, or an assembly.
This is why the following code is found in both the assembly and deployable models: def self.default_privilege_target_type Template end
When we are talking about, for example, a USE permission on @object, the permission type normally matches the class of the object -- but if there's a series of related classes that all share permission types/actions, default_privilege_target_type is overridden to provide for a common set of roles that can be assigned to a set of object types (in this case, templates, deployables, assemblies, TAD collections (once we add those and decide on the name).
For example, assign_owner_roles uses this name -- note in templates_controller, the following call is made after the template save call: @tpl.assign_owner_roles(current_user) to make sure that the creating user has the owner role (including modify, etc) for the template.
As a related note, we need to make sure that when assemblies and deployables are created (and deployments too...) that we make the same call for these objects to make sure that the owner has privileges on the created object -- otherwise, the non-admin users won't be able to edit their newly-created objects.
BasePermissionObject => {"Provider Creator" => [false, {Provider => [ CRE]}], "Provider Administrator" => [false, {Provider => [VIEW, MOD,CRE,VPRM,GPRM],
@@ -69,6 +75,7 @@ roles = Quota => [VIEW, MOD], PoolFamily => [VIEW, MOD,CRE,VPRM,GPRM], Template => [VIEW,USE,MOD,CRE,VPRM,GPRM],
Deployable => [VIEW,USE,MOD,CRE,VPRM,GPRM],
This is also unnecessary, since admins will use Template-scoped permissions for deployables (just as above)
BasePermissionObject => [ MOD, VPRM,GPRM]}]}}
Role.transaction do roles.each do |role_scope, scoped_hash| diff --git a/src/features/deployable_permissions.feature b/src/features/deployable_permissions.feature new file mode 100644 index 0000000..be26972 --- /dev/null +++ b/src/features/deployable_permissions.feature @@ -0,0 +1,47 @@ +Feature: Manage Deployables as a non-admin
- In order to manage my cloud infrastructure
- As an unprivileged user
- I want to manage deployables that I have permission to use
- Background:
- Given I am a new user
- Scenario: List deployables as a new user
- Given I am on the homepage
- And there is a deployable named "MySQL cluster"
- When I go to the image factory deployables page
- Then I should see "MySQL cluster"
- Scenario: View a deployable as a new user
- Given there is a deployable named "MySQL cluster"
- And I am on the image factory deployables page
- When I follow "MySQL cluster"
- Then I should see "Edit"
- @allow-rescue
- Scenario: Try to edit a deployable as a new user
- Given there is a deployable named "Apache Webserver"
- And I am on the image factory deployables page
- When I follow "Apache Webserver"
- And I follow "Edit"
- Then I should see "You have insufficient privileges to perform action."
- @allow-rescue
- Scenario: Try to create a deployable as a new user
- Given there is a deployable named "Solr Server"
- And I am on the image factory deployables page
- When I follow "Create"
- Then I should see "You have insufficient privileges to perform action."
- @allow-rescue
- Scenario: Try to remove an assembly as a new user
- Given there is a deployable named "Mailserver Cluster"
- Given there is an assembly named "Postfix Node" belonging to "Mailserver Cluster"
- And I am on the image factory deployables page
- Then I should see "Mailserver Cluster"
- When I follow "Mailserver Cluster"
- And I follow "details_Assemblies"
- Then I should see "Postfix Node"
- When I check the "Postfix Node" assembly
- And I press "Remove Selected"
- Then I should see "You have insufficient privileges to perform action."
diff --git a/src/features/step_definitions/authentication.rb b/src/features/step_definitions/authentication.rb index e7a84bd..4a13be0 100644 --- a/src/features/step_definitions/authentication.rb +++ b/src/features/step_definitions/authentication.rb @@ -10,6 +10,17 @@ def login(login, password) click_button "Login" end
+def signup
- visit path_to("the new account page")
- fill_in "Choose a username", :with => 'newuser'
- fill_in "Choose a password", :with => 'password'
- fill_in "Confirm password", :with => 'password'
- fill_in "First name", :with => 'Unprivileged'
- fill_in "Last name", :with => "User"
- fill_in "E-mail", :with => "testuser@example.com"
- click_button "Save"
+end
- Given /^I am a registered user$/ do user end
@@ -18,6 +29,10 @@ When /^I login$/ do login(user.login, user.password) end
+Given /^I am a new user$/ do
- signup
+end
- Given /^I am logged in$/ do login(user.login, user.password) UserSession.find.should_not == nil
On Mon, Apr 25, 2011 at 07:46:39PM -0400, Scott Seago wrote:
Actually, we don't want to do it this way -- I had intended to use the same permission role/grant types across the Image Factory types -- Deployable/Assembly/Template/Image, since we had anticipated the same users would be manipulating images, deployables, etc.
I've modified this patch based on Scott's feedback, and modified the tests to match.
-- Matt
--- .../image_factory/deployables_controller.rb | 11 +++- src/features/deployable_permissions.feature | 74 ++++++++++++++++++++ src/features/step_definitions/authentication.rb | 15 ++++ src/features/step_definitions/deployable_steps.rb | 1 + 4 files changed, 100 insertions(+), 1 deletions(-) create mode 100644 src/features/deployable_permissions.feature
diff --git a/src/app/controllers/image_factory/deployables_controller.rb b/src/app/controllers/image_factory/deployables_controller.rb index 0ffa33e..1721d44 100644 --- a/src/app/controllers/image_factory/deployables_controller.rb +++ b/src/app/controllers/image_factory/deployables_controller.rb @@ -4,9 +4,9 @@ class ImageFactory::DeployablesController < ApplicationController before_filter :load_deployable_with_assemblies, :only => [:remove_assemblies, :add_assemblies, :pick_assemblies]
def index + require_privilege(Privilege::VIEW, Template) @search_term = params[:q] return if @search_term.blank? - search = Deployable.search() do keywords(params[:q]) end @@ -15,6 +15,7 @@ class ImageFactory::DeployablesController < ApplicationController
def show @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::VIEW, @deployable) @url_params = params.clone @tab_captions = ['Properties', 'Assemblies', 'Deployments'] @details_tab = params[:details_tab].blank? ? 'properties' : params[:details_tab] @@ -33,12 +34,15 @@ class ImageFactory::DeployablesController < ApplicationController end
def new + require_privilege(Privilege::CREATE, Template) @deployable = Deployable.new end
def create + require_privilege(Privilege::CREATE, Template) @deployable = Deployable.new(params[:deployable]) if @deployable.save + @deployable.assign_owner_roles(current_user) flash[:notice] = "Deployable added." redirect_to image_factory_deployable_url(@deployable) else @@ -48,10 +52,12 @@ class ImageFactory::DeployablesController < ApplicationController
def edit @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) end
def update @deployable = Deployable.find(params[:id]) + require_privilege(Privilege::MODIFY, @deployable) if @deployable.update_attributes(params[:deployable]) flash[:notice] = "Deployable updated." redirect_to image_factory_deployable_url(@deployable) @@ -82,6 +88,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def pick_assemblies + require_privilege(Privilege::MODIFY, @deployable) @assemblies = Assembly.all - @deployable.assemblies respond_to do |format| format.js { render :partial => 'pick_assemblies' } @@ -90,6 +97,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def add_assemblies + require_privilege(Privilege::MODIFY, @deployable) if assemblies = params.delete(:assemblies_selected) @deployable.assembly_ids += assemblies.collect{|a| a.to_i} @deployable.save! @@ -102,6 +110,7 @@ class ImageFactory::DeployablesController < ApplicationController end
def remove_assemblies + require_privilege(Privilege::MODIFY, @deployable) if params[:assemblies_selected].present? @deployable.assembly_ids = @deployable.assembly_ids - params[:assemblies_selected].collect{|a| a.to_i} @deployable.save! diff --git a/src/features/deployable_permissions.feature b/src/features/deployable_permissions.feature new file mode 100644 index 0000000..9ca55e5 --- /dev/null +++ b/src/features/deployable_permissions.feature @@ -0,0 +1,74 @@ +Feature: Manage Deployables as a non-admin + In order to manage my cloud infrastructure + As an unprivileged user + I want to manage deployables that I have permission to use + + Background: + Given I am a new user + + Scenario: List deployables as a new user + Given I am on the homepage + And there is a deployable named "MySQL cluster" + When I go to the image factory deployables page + Then I should see "MySQL cluster" + + Scenario: View an existing deployable as a new user + Given there is a deployable named "MySQL cluster" + And I am on the image factory deployables page + When I follow "MySQL cluster" + Then I should see "Edit" + + @allow-rescue + Scenario: Try to edit an existing deployable as a new user + Given there is a deployable named "Apache Webserver" + And I am on the image factory deployables page + When I follow "Apache Webserver" + And I follow "Edit" + Then I should see "You have insufficient privileges to perform action." + + Scenario: Edit a deployable I created + Given I am on the image factory deployables page + When I follow "Create" + Then I should be on the new image factory deployable page + And I should see "New Deployable" + When I fill in "deployable[name]" with "Mahout Server" + And I press "Save" + Then I should be on App's image factory deployable page + And I should see "Deployable added" + And I should have a deployable named "Mahout Server" + And I should see "Mahout Server" + When I follow "Mahout Server" + And I follow "Edit" + Then I should be on the edit image factory deployable page + And I should see "Editing Deployable" + When I fill in "deployable[name]" with "MahoutModified" + And I press "Save" + Then I should be on MahoutModified's image factory deployable page + And I should see "Deployable updated" + And I should have a deployable named "MahoutModified" + And I should see "MahoutModified" + + Scenario: Create a deployable as a new user + And I am on the image factory deployables page + When I follow "Create" + Then I should be on the new image factory deployable page + And I should see "New Deployable" + When I fill in "deployable[name]" with "Solr Server" + And I press "Save" + Then I should be on App's image factory deployable page + And I should see "Deployable added" + And I should have a deployable named "Solr Server" + And I should see "Solr Server" + + @allow-rescue + Scenario: Try to remove an existing assembly as a new user + Given there is a deployable named "Mailserver Cluster" + Given there is an assembly named "Postfix Node" belonging to "Mailserver Cluster" + And I am on the image factory deployables page + Then I should see "Mailserver Cluster" + When I follow "Mailserver Cluster" + And I follow "details_Assemblies" + Then I should see "Postfix Node" + When I check the "Postfix Node" assembly + And I press "Remove Selected" + Then I should see "You have insufficient privileges to perform action." diff --git a/src/features/step_definitions/authentication.rb b/src/features/step_definitions/authentication.rb index e7a84bd..4a13be0 100644 --- a/src/features/step_definitions/authentication.rb +++ b/src/features/step_definitions/authentication.rb @@ -10,6 +10,17 @@ def login(login, password) click_button "Login" end
+def signup + visit path_to("the new account page") + fill_in "Choose a username", :with => 'newuser' + fill_in "Choose a password", :with => 'password' + fill_in "Confirm password", :with => 'password' + fill_in "First name", :with => 'Unprivileged' + fill_in "Last name", :with => "User" + fill_in "E-mail", :with => "testuser@example.com" + click_button "Save" +end + Given /^I am a registered user$/ do user end @@ -18,6 +29,10 @@ When /^I login$/ do login(user.login, user.password) end
+Given /^I am a new user$/ do + signup +end + Given /^I am logged in$/ do login(user.login, user.password) UserSession.find.should_not == nil diff --git a/src/features/step_definitions/deployable_steps.rb b/src/features/step_definitions/deployable_steps.rb index f86d6b2..539510c 100644 --- a/src/features/step_definitions/deployable_steps.rb +++ b/src/features/step_definitions/deployable_steps.rb @@ -21,6 +21,7 @@ end
Given /^there are deployment named "([^"]*)" belongs to "([^"]*)"$/ do |deployment_name, deployable_name| Factory(:deployment, :deployable => Deployable.find_by_name(deployable_name), :name => deployment_name) +end
Given /^there is a factory deployable named "([^"]*)"$/ do |arg1| Factory(:deployable, :name => arg1)
On 04/26/2011 05:31 PM, Matt Wagner wrote:
On Mon, Apr 25, 2011 at 07:46:39PM -0400, Scott Seago wrote:
Actually, we don't want to do it this way -- I had intended to use the same permission role/grant types across the Image Factory types -- Deployable/Assembly/Template/Image, since we had anticipated the same users would be manipulating images, deployables, etc.
I've modified this patch based on Scott's feedback, and modified the tests to match.
-- Matt
ACK and pushed
aeolus-devel@lists.fedorahosted.org