Skip to content

secure pipeline command #1370

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mpeck merged 6 commits into from
Feb 22, 2017
Merged

secure pipeline command #1370

mpeck merged 6 commits into from
Feb 22, 2017

Conversation

@mpeck
Copy link
Contributor

@mpeck mpeck commented Feb 22, 2017

Adds a hardcoded permission to the pipeline command limiting who can manage pipelines to the owning user and users with the operable:manage_user_pipeline permission.

resolves #1327

@mpeck mpeck added the review label Feb 22, 2017
christophermaier
christophermaier approved these changes Feb 22, 2017
View reviewed changes
Copy link
Collaborator

@christophermaier christophermaier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Left a comment about a potential DRY opportunity. I think it would also be useful to add something to these command docs indicating that the scope of the results is going to be dependent on either who you are or what your permissions are.

lib/cog/commands/pipeline/list.ex Outdated
perm = Permissions.by_name("operable:manage_user_pipeline")
if User.has_permission(req_user, perm) do
{:ok, HistoryRepo.pipelines_for_user(app_user.id, Map.get(opts, "last", 20))}
else
Copy link
Collaborator

@christophermaier christophermaier Feb 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we consolidate some of this? Seems like it's doing the same kind of checks as in other places in this PR (e.g. if has_perm? || entry.user.id == req_user.id do...)

@mpeck mpeck merged commit 60e82a0 into master Feb 22, 2017
@mpeck mpeck removed the review label Feb 22, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@christophermaier christophermaier christophermaier approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revisit pipeline command-related permissions

3 participants

@mpeck @christophermaier