Allow non-admins to use the checkRelation #1111
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…r own permissions
kian99
requested review from
alesstimec,
ale8k,
babakks and
mina1460
as code owners
alesstimec
approved these changes
Dec 5, 2023
internal/jujuapi/access_control.go
Outdated
| parsedTuple, err := r.parseTuple(ctx, req.Tuple) | ||
| if err != nil { | ||
| return checkResp, errors.E(op, errors.CodeFailedToParseTupleKey, err) | ||
| } | ||
|
|
||
| userCheckingSelf := parsedTuple.Object.Kind == openfga.UserType && parsedTuple.Object.ID == r.user.Username | ||
|
|
||
| if !r.user.JimmAdmin && !userCheckingSelf { |
There was a problem hiding this comment.
a more readable form is
if !(r.user.JimmAdmin || userCheckingSelf)
(according to boolean logic, at least) :)
There was a problem hiding this comment.
Definitely and I would've preferred that but then I don't think I can return early with that logic. Unless I'm mistaken
There was a problem hiding this comment.
it is literally an equivalent statement
!a && !b <=> !(a || b)
There was a problem hiding this comment.
Oh I completely missed the ! in the front of your statement. I read if r.user.JimmAdmin || userCheckingSelf woops! Will change.
There was a problem hiding this comment.
no no.. you didn't misread.. i had a typo :)
alesstimec
approved these changes
Dec 5, 2023
mina1460
approved these changes
Dec 6, 2023
alesstimec
approved these changes
Dec 6, 2023
| parsedTuple, err := r.parseTuple(ctx, req.Tuple) | ||
| if err != nil { | ||
| return checkResp, errors.E(op, errors.CodeFailedToParseTupleKey, err) | ||
| } | ||
|
|
||
| userCheckingSelf := parsedTuple.Object.Kind == openfga.UserType && parsedTuple.Object.ID == r.user.Username | ||
|
|
||
| if !(r.user.JimmAdmin || userCheckingSelf) { |
There was a problem hiding this comment.
perhaps a comment that:
- admins are allowed to check any relations
- users are only allowed to check relations of themselves to any resource
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Allow non-admins to use the checkRelation function when checking their own permissions.
This change was prompted by the fact that the Juju-dashboard is checking the user's permission to read audit logs to determine whether to display the "Audit Logs" tab in the dashboard.
Beyond the dashboard however, it seems like a reasonable change to allow users to call this facade to check their own permissions.
Engineering checklist