Issue #1360
closed
Permissions retrieval from API doesn't work as expected
Description
tldr; Permissions API only returns resources that are explicitly granted, leaving out resources that are implicitly granted.
A user is authorized to use a resource if they have been explicitly granted access to that resource or if the user has been granted access to a base of the given resource.
So if the user "admin" has been given access to `/`, they will implicitly have permission to access `/repositories/`.
As an example, if we query the API to see what users have permission to use the resource `/`, since admin was explicitly granted permission to this url, we can see that admin has permission here.
(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 191
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:51:44 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10
[
{
"_id": {
"$oid": "563a54c6e779892dc40d2a9b"
},
"_ns": "permissions",
"id": "563a54c6e779892dc40d2a9b",
"resource": "/",
"users": {
"admin": [
"CREATE",
"READ",
"UPDATE",
"DELETE",
"EXECUTE"
]
}
}
]
However,despite the fact that the admin user has access to `/repositories/` it has been granted access to `/`, access is not shown by the API.
(pulp)[vagrant@dev pulp]$ http --json -a admin:admin --verify=no GET 'https://localhost/pulp/api/v2/permissions/?resource=/repositories/'
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Length: 2
Content-Type: application/json; charset=utf-8
Date: Thu, 05 Nov 2015 20:52:05 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.1k-fips mod_wsgi/4.4.8 Python/2.7.10
[]
.