cloudstack
cloudstack copied to clipboard
apache
Limit `listRoles` API visibility
Description
When calling the listRoles API, users can see roles with more permissions than theirs.
Therefore, the behavior of the listRoles API was changed so that users can only see roles that their role has permission to access (roles with same and less permissions).
Types of changes
- [ ] Breaking change (fix or feature that would cause existing functionality to change)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Bug fix (non-breaking change which fixes an issue)
- [X] Enhancement (improves an existing feature and functionality)
- [ ] Cleanup (Code refactoring and cleanup, that may add test cases)
- [ ] build/CI
Feature/Enhancement Scale or Bug Severity
Feature/Enhancement Scale
- [ ] Major
- [X] Minor
Bug Severity
- [ ] BLOCKER
- [ ] Critical
- [ ] Major
- [ ] Minor
- [ ] Trivial
Screenshots (if appropriate):
How Has This Been Tested?
- I created a custom role based on User role and added the
listRolesAPI to it. - I created an account using the role from step 1 and logged into it.
- I called the
listRolesAPI via CloudMonkey and verfied that the roles with more permissions than mine were not listed, such as default admin roles.
Codecov Report
Attention: 4 lines in your changes are missing coverage. Please review.
Comparison is base (
49cecae) 30.37% compared to head (3dd46d3) 30.78%. Report is 30 commits behind head on main.
| Files | Patch % | Lines |
|---|---|---|
| ...ava/org/apache/cloudstack/acl/RoleManagerImpl.java | 89.47% | 1 Missing and 3 partials :warning: |
Additional details and impacted files
@@ Coverage Diff @@
## main #8639 +/- ##
============================================
+ Coverage 30.37% 30.78% +0.41%
- Complexity 32633 33113 +480
============================================
Files 5352 5353 +1
Lines 374419 374635 +216
Branches 54609 54645 +36
============================================
+ Hits 113719 115348 +1629
+ Misses 245523 243994 -1529
- Partials 15177 15293 +116
| Flag | Coverage Δ | |
|---|---|---|
| simulator-marvin-tests | 24.66% <69.23%> (+0.51%) |
:arrow_up: |
| uitests | 4.38% <ø> (-0.01%) |
:arrow_down: |
| unit-tests | 16.44% <64.10%> (+0.02%) |
:arrow_up: |
Flags with carried forward coverage won't be shown. Click here to find out more.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
@JoaoJandre a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9277
@DaanHoogland @sureshanaparti @rohityadavcloud @shwstppr could we run the CI here?
@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
@BryanMLima a [SL] Jenkins job has been kicked to build packages. It will be bundled with KVM, XenServer and VMware SystemVM templates. I'll keep you posted as I make progress.
Packaging result [SF]: ✔️ el7 ✔️ el8 ✔️ el9 ✔️ debian ✔️ suse15. SL-JID 9407
@DaanHoogland a [SL] Trillian-Jenkins test job (centos7 mgmt + kvm-centos7) has been kicked to run smoke tests
[SF] Trillian test result (tid-10015) Environment: kvm-centos7 (x2), Advanced Networking with Mgmt server 7 Total time taken: 54141 seconds Marvin logs: https://github.com/blueorangutan/acs-prs/releases/download/trillian/pr8639-t10015-kvm-centos7.zip Smoke tests completed. 129 look OK, 1 have errors, 0 did not run Only failed and skipped tests results shown below:
| Test | Result | Time (s) | Test File |
|---|---|---|---|
| test_01_events_resource | Error |
434.56 | test_events_resource.py |