Fixes #39447 - Guard dangerous host bulk actions with scope hash#11038
Fixes #39447 - Guard dangerous host bulk actions with scope hash#11038sbernhard wants to merge 2 commits into
Conversation
|
the Katello test calls bulk_destroy directly with only:
The failing test is here: katello/test/controllers/api/v2/hosts_bulk_actions_controller_extensions_test.rb:11 |
jeremylenz
left a comment
There was a problem hiding this comment.
Thanks @sbernhard! I like this idea a lot; just have a question/concern below.
|
Found issues in error toast handling for disassociate bulk action: #11045 |
|
Currently, the guard is only for the "most critical" bulk actions. It would be pretty easy to extend this for all bulk actions in the hosts controller. Already talked to @nadjaheitmann - she would prefer this. What's your opinion @jeremylenz? |
|
@sbernhard Thanks for doing all the performance testing! I agree that "one-shot pluck" looks like a good compromise of increasing performance while still keeping the readability and maintainability of Ruby code. (Still amazing how fast SQL is, though 😄) I also think one-shot pluck is fast enough (based on your numbers) that extending it to all controller actions should be fine. 👍 |
|
@sbernhard @jeremylenz The guard does not save us from implementing location parameter evaluation for the host bulk actions controller which is done in the PR that I have opened. |
jeremylenz
left a comment
There was a problem hiding this comment.
Tested and works well after I made one change.
a5cd7da to
0bb4d49
Compare
7040a69 to
6cceb23
Compare
Compute a scope hash from the current user, current taxonomy context, and all currently accessible host ids of the user, expose it to the new hosts page, and require it on bulk actions. The backend now rejects those actions with 409 when the hash is missing or stale, which fails closed on cross-tab taxonomy changes and host set drift. Co-authored-by: OpenAI Codex <codex@openai.com>
…r toast Co-authored-by: OpenAI Codex <codex@openai.com>
|
We also need: |
This guard uses digests of user ID, location ID, organization ID, and all host IDs a user has access. This digest is passed to the UI and forwarded to 'some' bulk actions like delete, power off which can really 'destroy' a datacenter managed by foreman. In the bulk action the hash is recalculated and only if the hash stays the same, the bulk action is executed. Not perfect, but I think it solves both issues.