Fixes #37531 - Autocomplete feature for search shows content from forbidden organization for user #10197
Conversation
…bidden organization for user Fix an issue that caused content from all organizations to be shown through the auto-complete feature by using "enhanced_filter" of scoped_search.
There was a problem hiding this comment.
I was curious why this isn't an issue for other resources, such as hostgroups (going to Hosts > All hosts and searching for hostgroup = only gives you hostgroups from the current organization). Turns out hostgroups define a default_scope[1], which honors currently set taxonomies. This is also honored by scoped_search's autocomplete.
In general I would like to avoid solving the same problem in two different ways within a single codebase. Considering probably all katello models should belong to exactly one organization and probably all of them inherit from the same superclass, it should be relatively straightforward to craft a single default scope that would universally apply the scoping we expect and would be honored by scoped_search's autocomplete.
On the other hand, the default_scope way would affect much larger area as all active record queries would go through it, unless explicitly unscoped.
[1] - https://github.com/theforeman/foreman/blob/develop/app/models/hostgroup.rb#L52
| @@ -9,7 +9,7 @@ module Foreman::Controller::AutoCompleteSearch | |||
| def auto_complete_search | |||
| begin | |||
| model = (controller_name == "hosts") ? Host::Managed : model_of_controller | |||
| @items = model.complete_for(params[:search], {:controller => controller_name}) | |||
| @items = model.complete_for(params[:search], {:controller => controller_name, :enhanced_filter => {:has_column => "organization_id", :filter => {:organization_id => Organization.current.id}}}) | |||
There was a problem hiding this comment.
Katello has its own auto_complete_search definition, this change would need to happen there as well https://github.com/Katello/katello/blob/16440c3907d6b1f64c6edc2a2dedc213085436e0/app/controllers/katello/concerns/filtered_auto_complete_search.rb#L8 . Things like Content > Subscriptions and search for "name = " still offers subscriptions from other organizations.
There was a problem hiding this comment.
@Thorben-D can you please have a look at the last comments?
Currently, the suggestions provided by the auto-complete feature of the search-bars include content from different organizations. This PR fixes this by using the (yet to be merged)
enhanced_filterfunction of scoped_search.Detailed problem description:
The auto-complete functionality is handled by the action
auto_complete_searchofAutoCompleteSearch.The action works by first inferring the Model (DB-Table) from the name of the controller it has been called from and then forming valid SQL queries, which are shown in its own query-language.
Since permissions are handled on a per-action basis, if a role permits a user to call
auto_complete_searchfrom a controller X, he is given de-facto read access to the whole DB-Table X.It has not been tested, whether the scope may be expanded past X by injecting joins, etc..
Changes:
This PR filters the auto-complete suggestions by organization and only displays suggestions with content belonging to the user's current organization.
This does NOT fix the root issue, which is scoped_search not properly leveraging the Foreman permission system, but provides an interim solution until an implementation is found that respects the Foreman permission model.
Relations:
enhanced_filterto scoped_search