Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission error when trying to use has_repo_or_repo_ver_param_model_or_obj_perms function #5619

Closed
git-hyagi opened this issue Jul 22, 2024 · 0 comments · Fixed by #5618
Closed

Comments

@git-hyagi
Copy link
Contributor

Describe the bug
Defining a new viewset acess policy condition like:

   "has_repo_or_repo_ver_param_model_or_obj_perms:file.view_filerepository",

will fail with:

pulp [d8eaefc0a7f44ac69660fe6060b7d4a4]: django.request:ERROR: Internal Server Error: /pulp/api/v3/repositories/container/container/0190dafa-e115-75e4-b139-03f038966315/build_image/
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.9/site-packages/django/views/decorators/csrf.py", line 56, in wrapper_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/viewsets.py", line 124, in view
    return self.dispatch(request, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 509, in dispatch
    response = self.handle_exception(exc)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 469, in handle_exception
    self.raise_uncaught_exception(exc)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 480, in raise_uncaught_exception
    raise exc
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 497, in dispatch
    self.initial(request, *args, **kwargs)
  File "/src/pulpcore/pulpcore/app/viewsets/base.py", line 300, in initial
    super().initial(request, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 415, in initial
    self.check_permissions(request)
  File "/usr/local/lib/python3.9/site-packages/rest_framework/views.py", line 332, in check_permissions
    if not permission.has_permission(request, self):
  File "/usr/local/lib/python3.9/site-packages/rest_access_policy/access_policy.py", line 69, in has_permission
    allowed = self._evaluate_statements(statements, request, view, action)
  File "/usr/local/lib/python3.9/site-packages/rest_access_policy/access_policy.py", line 113, in _evaluate_statements
    matched = self._get_statements_matching_conditions(
  File "/usr/local/lib/python3.9/site-packages/rest_access_policy/access_policy.py", line 262, in _get_statements_matching_conditions
    passed = self._check_condition(condition, request, view, action)
  File "/usr/local/lib/python3.9/site-packages/rest_access_policy/access_policy.py", line 286, in _check_condition
    result = method(request, view, action, arg)
  File "/src/pulpcore/pulpcore/app/global_access_conditions.py", line 484, in has_repo_or_repo_ver_param_model_or_obj_perms
    return request.user.has_perm(permission, repo_ver.repository)
  File "/usr/local/lib/python3.9/site-packages/django/contrib/auth/models.py", line 311, in has_perm
    return _user_has_perm(self, perm, obj)
  File "/usr/local/lib/python3.9/site-packages/django/contrib/auth/models.py", line 220, in _user_has_perm
    if backend.has_perm(user, perm, obj):
  File "/src/pulpcore/pulpcore/backends.py", line 65, in has_perm
    raise RuntimeError(
RuntimeError: Permission file.view_filerepository is not suitable for objects of class <class 'pulpcore.app.models.repository.Repository'>.

To Reproduce
Steps to reproduce the behavior:
Clone PR pulp/pulp_container#1687 and try to build a container:

pulp user create --username test --password password --email [email protected]
pulp user role-assignment add --username test --role "container.containerdistribution_collaborator" --object ""
pulp user role-assignment add --username test --role "container.containerrepository_content_manager" --object ""

echo 'Hello world!' > /tmp/example.txt

FILE_REPO=$(pulp file repository create --name foo --autopublish | jq -r '.pulp_href')
pulp file content upload --repository foo --file /tmp/example.txt --relative-path example4.txt

CONTAINER_REPO=$(pulp container repository create --name build | jq -r '.pulp_href') 
mkdir -p /tmp/test
echo 'FROM centos:7
COPY example4.txt /inside-image.txt
CMD ["cat", "/inside-image.txt"]' > /tmp/test/Containerfile

http -a test:password --form POST :5001${CONTAINER_REPO}build_image/ "containerfile@/tmp/test/Containerfile" repository_version=${FILE_REPO}versions/1/
git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Jul 22, 2024
git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Jul 22, 2024
git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Jul 22, 2024
git-hyagi added a commit to git-hyagi/pulpcore that referenced this issue Jul 23, 2024
patchback bot pushed a commit that referenced this issue Jul 23, 2024
patchback bot pushed a commit that referenced this issue Jul 23, 2024
mdellweg pushed a commit that referenced this issue Jul 23, 2024
mdellweg pushed a commit that referenced this issue Jul 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
No open projects
Development

Successfully merging a pull request may close this issue.

1 participant