[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: mla: deny access to specific ID for users in user level API

Alon Bar-Lev Tue, 18 Nov 2014 10:42:01 -0800

Hello Ondřej Macháček,

I'd like you to do a code review.  Please visit


    http://gerrit.ovirt.org/35301

to review the following change.

Change subject: mla: deny access to specific ID for users in user level API
......................................................................

mla: deny access to specific ID for users in user level API

User who don't have manipulate_permission action group
should not see users in system, even he shouldn't access
them directly by their ID's.

Change-Id: I90ec94fd0194680548e159f5d9bc010f5c233b91
Bug-Url: https://bugzilla.redhat.com/1160443
Signed-off-by: Ondra Machacek <[email protected]>
---
M 
backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
M 
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAO.java
M 
backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAODbFacadeImpl.java
M packaging/dbscripts/user_sp.sql
4 files changed, 21 insertions(+), 4 deletions(-)


  git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/01/35301/1

diff --git 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
index 5291239..2b286a6 100644
--- 
a/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
+++ 
b/backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/aaa/GetDbUserByUserIdQuery.java
@@ -14,6 +14,6 @@
     protected void executeQueryCommand() {
         getQueryReturnValue().setReturnValue(
                 DbFacade.getInstance().getDbUserDao()
-                        .get((getParameters()).getId()));
+                        .get((getParameters()).getId(), 
getParameters().isFiltered()));
     }
 }
diff --git 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAO.java
 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAO.java
index 4110d0d..03921f8 100644
--- 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAO.java
+++ 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAO.java
@@ -22,6 +22,15 @@
     DbUser get(Guid id);
 
     /**
+     * Retrieves the suser with the specified id.
+     *
+     * @param id the id of user
+     * @param isFiltered user level / admin level
+     * @return the user, or <code>null</code> if the id was invalid
+     */
+    DbUser get(Guid id, boolean isFiltered);
+
+    /**
      * Retrieves a user by username.
      *
      * @param username
diff --git 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAODbFacadeImpl.java
 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAODbFacadeImpl.java
index 5680990..30bd069 100644
--- 
a/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAODbFacadeImpl.java
+++ 
b/backend/manager/modules/dal/src/main/java/org/ovirt/engine/core/dao/DbUserDAODbFacadeImpl.java
@@ -81,8 +81,14 @@
 
     @Override
     public DbUser get(Guid id) {
+        return get(id, false);
+    }
+
+    @Override
+    public DbUser get(Guid id, boolean isFiltered) {
         MapSqlParameterSource parameterSource = 
getCustomMapSqlParameterSource()
-                .addValue("user_id", id);
+                .addValue("user_id", id)
+                .addValue("is_filtered", isFiltered);
 
         return getCallsHandler().executeRead("GetUserByUserId", 
DbUserRowMapper.instance, parameterSource);
     }
diff --git a/packaging/dbscripts/user_sp.sql b/packaging/dbscripts/user_sp.sql
index c4c8379..61064b2 100644
--- a/packaging/dbscripts/user_sp.sql
+++ b/packaging/dbscripts/user_sp.sql
@@ -161,12 +161,14 @@
 
 
 
-Create or replace FUNCTION GetUserByUserId(v_user_id UUID) RETURNS SETOF users 
STABLE
+Create or replace FUNCTION GetUserByUserId(v_user_id UUID, v_is_filtered 
BOOLEAN) RETURNS SETOF users STABLE
    AS $procedure$
 BEGIN
       RETURN QUERY SELECT users.*
       FROM users
-      WHERE user_id = v_user_id;
+      WHERE user_id = v_user_id AND (NOT v_is_filtered OR
+                                     EXISTS (SELECT 1 FROM  users u, 
user_db_users_permissions_view p
+                                             WHERE  u.user_id = v_user_id AND 
u.user_id = p.ad_element_id));
 END; $procedure$
 LANGUAGE plpgsql;
 


-- 
To view, visit http://gerrit.ovirt.org/35301
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I90ec94fd0194680548e159f5d9bc010f5c233b91
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: ovirt-engine-3.5
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Ondřej Macháček <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

[Engine-patches] Change in ovirt-engine[ovirt-engine-3.5]: mla: deny access to specific ID for users in user level API

Reply via email to