web icon indicating copy to clipboard operation
web copied to clipboard

Published 20 hours ago verified publisher icon sensu

UI makes it appear as though a read only user can delete events

Open rgeniesse opened this issue 6 years ago • 2 comments

Expected Behavior

When a read only user logs in and selects an event or events, then clicks the delete button, nothing happens and an error is presented saying unauthorized.

Current Behavior

When a read only user logs in and selects an event or events, then clicks the delete button, the UI seems to show those events being deleted then throws an error that does say Unauthorized in it, but gives the option to open a bug report as well which is misleading as it isn't a bug; the user doesn't have permission to do the action.

It also requires an entire reload of the UI to recover.

Possible Solution

If a user is read only, the delete button is greyed out. If a user is read only, the delete button remains clickable, but throws a more graceful error after attempting to delete and doesn't require a reload of the UI, as well as the option to make a bug as the error is expected.

Steps to Reproduce

  1. Create a read only user using the following definitions:
{
  "type": "User",
  "api_version": "core/v2",
  "metadata": {},
  "spec": {
    "username": "guest",
    "password": "i<3sensu",
    "disabled": false
  }
}
{
  "type": "RoleBinding",
  "api_version": "core/v2",
  "metadata": {
    "name": "guest-binding",
    "namespace": "default"
  },
  "spec": {
    "role_ref": {
      "name": "view",
      "type": "ClusterRole"
    },
    "subjects": [
      {
        "name": "guest",
        "type": "User"
      }
    ]
  }
}
  1. Login as the guest user
  2. Go to the events tab and select an event.
  3. Click delete toward the upper right hand side, confirm and see the error that pops up and the UI behavior where the event "appears" to go away. The behavior is easier to see with 5+ events present.

I've also displayed the behavior here:

2019-05-20 14 37 49

Context

Attempting to use a read only user for Sensu demos and noticed the behavior. At first I thought the read only user was actually able to delete events. It is a bit misleading and also could be an improved user experience for that and catching the error in a better manner.

Additional note: I see other items in the UI that are not greyed out that may need audited as well for a read only user.

Your Environment

  • Sensu version used (sensuctl, sensu-backend, and/or sensu-agent): Sensu Go 5.7 all around.
  • Installation method (packages, binaries, docker etc.): Packages
  • Operating System and version (e.g. Ubuntu 14.04): Centos 7.
  • Browser used: Firefox 66.0.5.

rgeniesse avatar May 20 '19 21:05 rgeniesse

Requires sensu/sensu-enterprise-go#873

jamesdphillips avatar Feb 27 '20 21:02 jamesdphillips

@jamesdphillips to replicate this again.

portertech avatar Mar 02 '20 18:03 portertech