osrd
osrd copied to clipboard
OpenRailAssociation
front: enable authorization
closes #8049
[!WARNING] There is currently an authorization bug between the core service and the Editoast service that prevents retrieving the
infraId. This issue is being worked on and will be fixed soon. Because of this, theManageTrainScheduleandSTDCMviews may have refresh problems.
New Functionalities:
- Allows specific parts of the interface to be accessible based on the user's role and the required role for access.
- [x] When the user is Railway Undertaking , they are redirected directly to the STDCM page.
- [x] When the user is Operational Studies, they are taken to the homepage, with the STDCM application grayed out.
- [x] When the user is a Superuser, they have full access to everything.
- [x] If the user has no role, they will have no access to any part of the app from the homepage.
- [x] If a user tries to access an application directly via URL without the proper role, they are redirected to a 403 page. For instance, if an Operational Studies user tries to access anything other than STDCM, or if a user with no role tries to access any page, they will be blocked.
- [x] The button to access the STDCM debug mode is now restricted to users with the Superuser role.
- [x] The creation of a project, study, or scenario is limited to users with the OpsWrite role. (Both OpsWrite and OpsRead can open the Ops application. OpsWrite can create, OpsRead can list the project/studies/scenarios)
Technical Updates:
- User roles are now fetched and stored in the Redux store.
- Added the
REQUIRED_USER_ROLES_FORobject, which describes the required roles for accessing various views, features and those associated with different user profiles. - Improved the
RoleBasedComponentwrapper by adding thedisabledIfUnauthorizedproperty, which grays out the wrapped component instead of hiding it when the user lacks proper authorization. - use the same componenet to handle project,study and scenario creation.
How to Test:
- Enable Authorization on Editoast:
Add the environment variable
EDITOAST_DISABLE_AUTHORIZATION: "false"to thedocker-compose.ymlfile, just belowOSRD_MQ_URL.
or if you run editoast individually
EDITOAST_DISABLE_AUTHORIZATION=false cargo run runserver
-
Rebuild the Editoast Docker Image: Rebuild the Editoast Docker image and restart it.
-
Apply the SQL Scripts: Depending on the user profile and the feature access you want to test, apply the following SQL scripts:
Starting editoast with EDITOAST_DISABLE_AUTHORIZATION=false, you should have a subject 1 created in authn_subject table
Railway Undertaking profil
DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES
(1, 1, 'Stdcm'),
(2, 1, 'RollingStockCollectionRead'),
(3, 1, 'WorkScheduleRead'),
(4, 1, 'InfraRead'),
(5, 1, 'DocumentRead'),
(6, 1, 'MapRead'),
(7, 1, 'TimetableRead');
Operational Studies profil
DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES
(1, 1, 'OpsRead'),
(2, 1, 'OpsWrite'),
(3, 1, 'InfraRead'),
(4, 1, 'InfraWrite'),
(5, 1, 'RollingStockCollectionRead'),
(6, 1, 'RollingStockCollectionWrite'),
(7, 1, 'WorkScheduleRead'),
(8, 1, 'TimetableRead'),
(9, 1, 'TimetableWrite'),
(10, 1, 'DocumentRead'),
(11, 1, 'DocumentWrite'),
(12, 1, 'MapRead');
Superuser
DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES
(1, 1, 'Superuser');
No Authorization to create projet/study/scenario
DELETE FROM authz_role WHERE subject = 1;
INSERT INTO authz_role (id, subject, role) VALUES
(1, 1, 'OpsRead'),
(3, 1, 'InfraRead'),
(5, 1, 'RollingStockCollectionRead'),
(6, 1, 'RollingStockCollectionWrite'),
(7, 1, 'WorkScheduleRead'),
(8, 1, 'TimetableRead'),
(9, 1, 'TimetableWrite'),
(10, 1, 'DocumentRead'),
(11, 1, 'DocumentWrite'),
(12, 1, 'MapRead');
:warning: Please install the to ensure uploads and comments are reliably processed by Codecov.
Codecov Report
Attention: Patch coverage is 2.01005% with 195 lines in your changes missing coverage. Please review.
Project coverage is 39.71%. Comparing base (
f7f1991) to head (18cfb7c). Report is 5 commits behind head on dev.
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files
@@ Coverage Diff @@
## dev #9237 +/- ##
============================================
- Coverage 39.77% 39.71% -0.07%
Complexity 2270 2270
============================================
Files 1302 1302
Lines 99565 99671 +106
Branches 3282 3283 +1
============================================
- Hits 39599 39581 -18
- Misses 58034 58157 +123
- Partials 1932 1933 +1
| Flag | Coverage Δ | |
|---|---|---|
| core | 75.06% <ø> (ø) |
|
| editoast | 73.50% <ø> (-0.08%) |
:arrow_down: |
| front | 10.18% <2.01%> (-0.02%) |
:arrow_down: |
| gateway | 2.19% <ø> (ø) |
|
| osrdyne | 3.28% <ø> (ø) |
|
| railjson_generator | 87.49% <ø> (ø) |
|
| tests | 86.71% <ø> (ø) |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
There is currently an authorization bug between the core service and the Editoast service that prevents retrieving the infraId. This issue is being worked on and will be fixed soon. Because of this, the ManageTrainSchedule and STDCM views may have refresh problems.
Was fixed in https://github.com/OpenRailAssociation/osrd/pull/9278, thanks for reporting it :)
