Skip to content

added support admins pluginconfig managemnent #1470#1837

Merged
0ssigeno merged 5 commits intodevelopfrom
admin-support
Aug 16, 2023
Merged

added support admins pluginconfig managemnent #1470#1837
0ssigeno merged 5 commits intodevelopfrom
admin-support

Conversation

@federicofantini
Copy link
Contributor

@federicofantini federicofantini commented Aug 9, 2023

Description

Added support to admin permission management plugin config: now you don't need to be an owner but just be an admin of an organization.
NOTE: this update do not cover the frontend.

Type of change

  • New feature (non-breaking change which adds functionality).

Checklist

  • I have read and understood the rules about how to Contribute to this project
  • The pull request is for the branch develop
  • A new plugin (analyzer, connector, visualizer, playbook or ingestor) was added or changed, in which case:
    • Usage file was updated.
    • Advanced-Usage was updated (in case the plugin provides additional optional configuration).
    • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
    • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
    • If you created a new analyzer and it is free (does not require API keys), please add it in the FREE_TO_USE_ANALYZERS playbook in playbook_config.json.
    • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
    • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
  • Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
  • I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
  • If changes were made to an existing model/serializer/view, the docs were updated and regenerated (check CONTRIBUTE.md).
  • If the GUI has been modified:
    • I have a provided a screenshot of the result in the PR.
    • I have created new frontend tests for the new component or updated existing ones.

@federicofantini federicofantini requested review from 0ssigeno and mlodic and removed request for mlodic August 9, 2023 15:40
@mlodic
Copy link
Member

mlodic commented Aug 9, 2023

I leave the review to @0ssigeno only. Thanks for the contribution :)

0ssigeno
0ssigeno requested changes Aug 10, 2023
View reviewed changes
api_app/queryset.py Outdated
Comment on lines 213 to 223
if membership.is_admin:
return self.filter(Q(for_organization=True) | Q(owner__isnull=True))
else:
return self.filter(
(
Q(for_organization=True)
& Q(owner=membership.organization.owner)
)
| Q(owner=user)
| Q(owner__isnull=True)
)
Copy link
Contributor

@0ssigeno 0ssigeno Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, with this condition, if you are an admin you can see the configuration of every other organization user values. This is obviously not intended.
1 - Can we add a test to verify or refute this claim?
2 - If the claim is valid, I would suggest something like

if membership.is_admin:

    Q(for_organization=True, owner__membership__organization=membership.organization) | 
    Q(owner=user) | Q(owner_isnull=True)

The test that you will make should fail before and pass after this change

Copy link
Contributor Author

@federicofantini federicofantini Aug 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was reasoning that in this case being admin/owner/user is indifferent to the level of visibility of the configs in the org...
I think the following code should be enough:

# If you are member of an organization you should see the configs.
return self.filter(
    Q(for_organization=True, owner__membership__organization=membership.organization)
    | Q(owner=user)
    | Q(owner__isnull=True)
)

api_app/permissions.py Outdated
Comment on lines 21 to 24
def has_object_permission(request, view, obj):
if request.user.has_membership():
return request.user.membership.is_admin
return False
Copy link
Contributor

@0ssigeno 0ssigeno Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you are admin you can retrieve the value of another organization.
The check should be something like

 obj_owner = getattr(obj, "owner", None):
 # if the object was not made for an organization, we return false
if not obj_owner or not obj_owner.has_membership():
    return False
 else:
    # if we are admin we can e have to check that is our org
    return request.user.has_membership() and request.user.membership.is_admin and obj_owner.membership.organization == request.user.membership.organization

api_app/views.py Outdated
if not request.user.has_membership() or not request.user.membership.is_owner:
if request.user.has_membership():
if not (
request.user.membership.is_owner or request.user.membership.is_admin
Copy link
Contributor

@0ssigeno 0ssigeno Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can remove the is_owner chec, since the owner is always admin

api_app/serializers.py
Comment on lines 932 to 941
org = attrs.pop("organization")
if not (
org.owner == attrs["owner"]
or (
self.context["request"].user.has_membership()
and self.context["request"].user.membership.organization.pk
== org.pk
and self.context["request"].user.membership.is_admin
)
):
Copy link
Contributor

@0ssigeno 0ssigeno Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok we starts to need some sort of comment in this boolean expression because it is breaking my mind.

This should mean


we raise ValidationError() when
1 - we are not owner  OR
2 - we are not admin of the same org

If I did not fucked up the boolean expression, the check seems valid to me, I would just suggest to add a comment because it took me 5 minutes to understand what was going on

api_app/serializers.py
Comment on lines +885 to +893
and not (
self.context["request"].user.pk == instance.owner.pk
or (
self.context["request"].user.has_membership()
and self.context["request"].user.membership.organization.pk
== instance.owner.membership.organization.pk
and self.context["request"].user.membership.is_admin
)
)
Copy link
Contributor

@0ssigeno 0ssigeno Aug 10, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a comment here too, this is fucking me up.

We return `redacted` when
1) is a secret AND
2) is a value for the organization AND
3) we are not its owner  OR
4) we are not an admin of the same organization

if I did not fuck up the boolean expression, it seems good to me, just add a comment for future us

@federicofantini
made the requested changes
cade466 
fixed admin queryset query and added tests

fixed admin permissions checks

added comments in tests source code
@codecov
Copy link

codecov bot commented Aug 14, 2023
edited
Loading

Codecov Report

Merging #1837 (16e1596) into develop (77977ed) will increase coverage by 0.02%.
Report is 12 commits behind head on develop.
The diff coverage is 66.66%.

Impacted file tree graph

@@             Coverage Diff             @@
##           develop    #1837      +/-   ##
===========================================
+ Coverage    76.20%   76.22%   +0.02%     
===========================================
  Files          378      381       +3     
  Lines        12380    12475      +95     
  Branches      1303     1315      +12     
===========================================
+ Hits          9434     9509      +75     
- Misses        2408     2426      +18     
- Partials       538      540       +2
Files Changed Coverage Δ
api_app/models.py 85.95% <ø> (+0.41%) ⬆️
api_app/queryset.py 95.50% <ø> (ø)
api_app/permissions.py 60.00% <20.00%> (-6.67%) ⬇️
api_app/views.py 85.47% <87.50%> (+0.16%) ⬆️
api_app/serializers.py 84.54% <100.00%> (+0.34%) ⬆️

... and 7 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 77977ed...16e1596. Read the comment docs.

@0ssigeno
Copy link
Contributor

0ssigeno commented Aug 16, 2023

LGTM. The only thing missing is to allow the org owner to add/remove admins from the org panel in the frontend.
I will open a different issue to keep track of this.

@0ssigeno 0ssigeno merged commit 6c9cef5 into develop Aug 16, 2023
@0ssigeno 0ssigeno mentioned this pull request Aug 16, 2023
Closed
@federicofantini federicofantini deleted the admin-support branch November 27, 2023 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0ssigeno 0ssigeno 0ssigeno approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@federicofantini @mlodic @0ssigeno