Issue #9589
closedA permission type does not match the type of a repository
Description
Recent CI failures (https://github.com/pulp/pulp_container/runs/4348993881?check_suite_focus=true#step:13:1449):
E Traceback (most recent call last):
E File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
E response = get_response(request)
E File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
E response = wrapped_callback(request, *callback_args, **callback_kwargs)
E File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
E return view_func(*args, **kwargs)
E File "/usr/local/lib/python3.8/site-packages/rest_framework/viewsets.py", line 125, in view
E return self.dispatch(request, *args, **kwargs)
E File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
E response = self.handle_exception(exc)
E File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
E self.raise_uncaught_exception(exc)
E File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
E raise exc
E File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 506, in dispatch
E response = handler(request, *args, **kwargs)
E File "/usr/local/lib/python3.8/site-packages/rest_framework/mixins.py", line 38, in list
E queryset = self.filter_queryset(self.get_queryset())
E File "/usr/local/lib/python3.8/site-packages/pulp_container/app/viewsets.py", line 199, in get_queryset
E repo_pks = self._repo_query_params(self.request, self, repo_info)
E File "/usr/local/lib/python3.8/site-packages/pulp_container/app/viewsets.py", line 174, in _repo_query_params
E elif request.user.has_perm(repo_info.push_perm, repo) or request.user.has_perm(
E File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/models.py", line 300, in has_perm
E return _user_has_perm(self, perm, obj)
E File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/models.py", line 210, in _user_has_perm
E if backend.has_perm(user, perm, obj):
E File "/usr/local/lib/python3.8/site-packages/pulpcore/backends.py", line 46, in has_perm
E raise RuntimeError(
E
E Exception Type: RuntimeError at /pulp/api/v3/content/container/tags/
E Exception Value: Permission container.view_containerpushrepository is not suitable for objects of class <class 'pulp_container.app.models.ContainerRepository'>.
They were triggered after merging the commit ab6225b6cfd29864a51baac4d9ad385b37983529, caused pulp_container to fail when checking object permissions.
We should at least perform similar checks to those in access_policy.py
and add a fallback that does not rigidly check for view_containerpushrepository
and view_containerrepository
in a strict order.
Updated by lmjachky about 3 years ago
- Subject changed from Permission type does not match the type of a repository to A permission type does not match the type of a repository
Updated by lmjachky about 3 years ago
I think there should be a snippet of code that first determines the type of a repository and then asserts the corresponding type of permission to it (everything should be done within the object-level permission context because, at the moment, we are ignoring such context and blindly test object permissions).
Updated by mdellweg about 3 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to mdellweg
Updated by pulpbot about 3 years ago
- Status changed from ASSIGNED to POST
Added by mdellweg about 3 years ago
Added by mdellweg about 3 years ago
Updated by mdellweg about 3 years ago
- Status changed from POST to MODIFIED
Applied in changeset 8fe53f4e5c31778bbf9345df90024fc3ebe7d2a4.
Updated by pulpbot about 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Fix queryset scoping
Only ask for permissions matching the object type.
fixes #9589