Project

Profile

Help

Issue #9589

closed

A permission type does not match the type of a repository

Added by lmjachky about 3 years ago. Updated about 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Sprint/Milestone:
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Platform Release:
OS:
Triaged:
No
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 110
Quarter:

Description

Recent CI failures (https://github.com/pulp/pulp_container/runs/4348993881?check_suite_focus=true#step:13:1449):

E           Traceback (most recent call last):
E             File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
E               response = get_response(request)
E             File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
E               response = wrapped_callback(request, *callback_args, **callback_kwargs)
E             File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
E               return view_func(*args, **kwargs)
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/viewsets.py", line 125, in view
E               return self.dispatch(request, *args, **kwargs)
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 509, in dispatch
E               response = self.handle_exception(exc)
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 469, in handle_exception
E               self.raise_uncaught_exception(exc)
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
E               raise exc
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/views.py", line 506, in dispatch
E               response = handler(request, *args, **kwargs)
E             File "/usr/local/lib/python3.8/site-packages/rest_framework/mixins.py", line 38, in list
E               queryset = self.filter_queryset(self.get_queryset())
E             File "/usr/local/lib/python3.8/site-packages/pulp_container/app/viewsets.py", line 199, in get_queryset
E               repo_pks = self._repo_query_params(self.request, self, repo_info)
E             File "/usr/local/lib/python3.8/site-packages/pulp_container/app/viewsets.py", line 174, in _repo_query_params
E               elif request.user.has_perm(repo_info.push_perm, repo) or request.user.has_perm(
E             File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/models.py", line 300, in has_perm
E               return _user_has_perm(self, perm, obj)
E             File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/models.py", line 210, in _user_has_perm
E               if backend.has_perm(user, perm, obj):
E             File "/usr/local/lib/python3.8/site-packages/pulpcore/backends.py", line 46, in has_perm
E               raise RuntimeError(
E           
E           Exception Type: RuntimeError at /pulp/api/v3/content/container/tags/
E           Exception Value: Permission container.view_containerpushrepository is not suitable for objects of class <class 'pulp_container.app.models.ContainerRepository'>.

They were triggered after merging the commit ab6225b6cfd29864a51baac4d9ad385b37983529, caused pulp_container to fail when checking object permissions.

We should at least perform similar checks to those in access_policy.py and add a fallback that does not rigidly check for view_containerpushrepository and view_containerrepository in a strict order.

Actions #1

Updated by lmjachky about 3 years ago

  • Subject changed from Permission type does not match the type of a repository to A permission type does not match the type of a repository
Actions #2

Updated by lmjachky about 3 years ago

  • Description updated (diff)
Actions #3

Updated by lmjachky about 3 years ago

I think there should be a snippet of code that first determines the type of a repository and then asserts the corresponding type of permission to it (everything should be done within the object-level permission context because, at the moment, we are ignoring such context and blindly test object permissions).

Actions #4

Updated by ttereshc about 3 years ago

  • Description updated (diff)
Actions #5

Updated by mdellweg about 3 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to mdellweg
Actions #6

Updated by mdellweg about 3 years ago

  • Sprint set to Sprint 110
Actions #7

Updated by pulpbot about 3 years ago

  • Status changed from ASSIGNED to POST

Added by mdellweg about 3 years ago

Revision 8fe53f4e | View on GitHub

Fix queryset scoping

Only ask for permissions matching the object type.

fixes #9589

Added by mdellweg about 3 years ago

Revision 8fe53f4e | View on GitHub

Fix queryset scoping

Only ask for permissions matching the object type.

fixes #9589

Actions #8

Updated by mdellweg about 3 years ago

  • Status changed from POST to MODIFIED
Actions #9

Updated by ipanova@redhat.com about 3 years ago

  • Sprint/Milestone set to 2.10.0
Actions #10

Updated by pulpbot about 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF