diff --git a/CHANGES/2781.bugfix b/CHANGES/2781.bugfix new file mode 100644 index 0000000000..efee5117af --- /dev/null +++ b/CHANGES/2781.bugfix @@ -0,0 +1 @@ +Allow all authenticated users to list and retrieve other users when using github social auth. diff --git a/galaxy_ng/app/access_control/access_policy.py b/galaxy_ng/app/access_control/access_policy.py index d82013684c..b2d91c4443 100644 --- a/galaxy_ng/app/access_control/access_policy.py +++ b/galaxy_ng/app/access_control/access_policy.py @@ -281,6 +281,23 @@ def v3_can_destroy_collections(self, request, view, action): return True return False + def v3_can_view_users(self, request, view, action): + """ + Community galaxy users need to be able to see one-another, + so that they can grant eachother access to their namespaces. + """ + SOCIAL_AUTH_GITHUB_KEY = settings.get("SOCIAL_AUTH_GITHUB_KEY", default=None) + SOCIAL_AUTH_GITHUB_SECRET = settings.get("SOCIAL_AUTH_GITHUB_SECRET", default=None) + is_github_social_auth = all([SOCIAL_AUTH_GITHUB_KEY, SOCIAL_AUTH_GITHUB_SECRET]) + + if is_github_social_auth: + return True + + if request.user.has_perm('galaxy.view_user'): + return True + + return False + def has_ansible_repo_perms(self, request, view, action, permission): """ Check if the user has model or object-level permissions diff --git a/galaxy_ng/app/access_control/statements/standalone.py b/galaxy_ng/app/access_control/statements/standalone.py index 70e0da14a6..58fb4053eb 100644 --- a/galaxy_ng/app/access_control/statements/standalone.py +++ b/galaxy_ng/app/access_control/statements/standalone.py @@ -198,13 +198,13 @@ "action": ["list"], "principal": "authenticated", "effect": "allow", - "condition": "has_model_perms:galaxy.view_user" + "condition": ["v3_can_view_users"], }, { "action": ["retrieve"], "principal": "authenticated", "effect": "allow", - "condition": "has_model_perms:galaxy.view_user" + "condition": ["v3_can_view_users"], }, { "action": "destroy", diff --git a/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py b/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py index a939c53e1d..7a6b765638 100644 --- a/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py +++ b/galaxy_ng/tests/integration/community/test_community_namespace_rbac.py @@ -570,3 +570,28 @@ def test_community_social_v3_namespace_sorting(ansible_config): # https://issues.redhat.com/browse/AAH-2729 # social auth code was trying to sort namespaces ... pass + + +@pytest.mark.deployment_community +def test_social_auth_access_api_ui_v1_users(ansible_config): + # https://issues.redhat.com/browse/AAH-2781 + + username = "foo1234" + default_cfg = extract_default_config(ansible_config) + + ga = GithubAdminClient() + ga.delete_user(login=username) + + user_c = ga.create_user(login=username, email="foo1234@gmail.com") + user_c.update(default_cfg) + user_c['username'] = username + + with SocialGithubClient(config=user_c) as client: + users_resp = client.get('_ui/v1/users/') + assert users_resp.status_code == 200 + + # try to fetch each user .. + for udata in users_resp.json()['data']: + uid = udata['id'] + user_resp = client.get(f'_ui/v1/users/{uid}/') + assert user_resp.status_code == 200 diff --git a/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py b/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py index 1f5e7df182..f87250b35f 100644 --- a/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py +++ b/galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py @@ -130,13 +130,15 @@ def test_user_can_create_users_with_right_perms(self): self.assertEqual(response.status_code, status.HTTP_201_CREATED) def test_user_list(self): - def _test_user_list(): + def _test_user_list(expected=None): + # Check test user can[not] view other users self.client.force_authenticate(user=self.user) log.debug("self.client: %s", self.client) log.debug("self.client.__dict__: %s", self.client.__dict__) response = self.client.get(self.user_url) - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.status_code, expected) + # Check admin user can -always- view others self.client.force_authenticate(user=self.admin_user) response = self.client.get(self.user_url) self.assertEqual(response.status_code, status.HTTP_200_OK) @@ -144,25 +146,34 @@ def _test_user_list(): self.assertEqual(len(data), auth_models.User.objects.all().count()) with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value): - _test_user_list() + _test_user_list(expected=status.HTTP_403_FORBIDDEN) with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value): - _test_user_list() + _test_user_list(expected=status.HTTP_403_FORBIDDEN) + + # community + kwargs = { + 'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value, + 'SOCIAL_AUTH_GITHUB_KEY': '1234', + 'SOCIAL_AUTH_GITHUB_SECRET': '1234' + } + with self.settings(**kwargs): + _test_user_list(expected=status.HTTP_200_OK) def test_user_get(self): - def _test_user_get(): - # Check test user cannot view themselves on the users/ api + def _test_user_get(expected=None): + # Check test user can[not] view themselves on the users/ api self.client.force_authenticate(user=self.user) url = "{}{}/".format(self.user_url, self.user.id) response = self.client.get(url) - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.status_code, expected) - # Check test user cannot view other users + # Check test user can[not] view other users url = "{}{}/".format(self.user_url, self.admin_user.id) response = self.client.get(url) - self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN) + self.assertEqual(response.status_code, expected) - # Check admin user can view others + # Check admin user can -always- view others self.client.force_authenticate(user=self.admin_user) url = "{}{}/".format(self.user_url, self.user.id) response = self.client.get(url) @@ -175,10 +186,19 @@ def _test_user_get(): self.assertTrue(self.user.groups.exists(id=group["id"])) with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value): - _test_user_get() + _test_user_get(expected=status.HTTP_403_FORBIDDEN) with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value): - _test_user_get() + _test_user_get(expected=status.HTTP_403_FORBIDDEN) + + # community + kwargs = { + 'GALAXY_DEPLOYMENT_MODE': DeploymentMode.STANDALONE.value, + 'SOCIAL_AUTH_GITHUB_KEY': '1234', + 'SOCIAL_AUTH_GITHUB_SECRET': '1234' + } + with self.settings(**kwargs): + _test_user_get(expected=status.HTTP_200_OK) def _test_create_or_update(self, method_call, url, new_user_data, crud_status, auth_user): self.client.force_authenticate(user=auth_user)