Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: restricted permissions for image actions [WD-18905] #1100

Merged
merged 9 commits into from
Feb 13, 2025
Merged

feat: restricted permissions for image actions [WD-18905] #1100

merged 9 commits into from
Feb 13, 2025

Conversation

mas-who
Copy link
Contributor

@mas-who mas-who commented Feb 11, 2025

Done

  • handling of image related actions documented here

QA

  1. Run the LXD-UI:
  2. Perform the following QA steps:
    • Check that the UI handles images related permission restrictions according to actions documented here

@webteam-app
Copy link

Demo

Jenkins

demos.haus

edlerd
edlerd reviewed Feb 11, 2025
View reviewed changes
@edlerd edlerd mentioned this pull request Feb 11, 2025
Merged
edlerd
edlerd reviewed Feb 11, 2025
View reviewed changes
Copy link
Collaborator

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thx for making the entitlement lookups consistent. Only two questions below left, then this should be good to go.

@mas-who mas-who force-pushed the restricted-permissions-images branch 2 times, most recently from 1c75016 to ee0531a Compare February 11, 2025 16:22
edlerd
edlerd requested changes Feb 11, 2025
View reviewed changes
@mas-who mas-who force-pushed the restricted-permissions-images branch 2 times, most recently from 957f4b0 to c1901ad Compare February 11, 2025 16:37
edlerd
edlerd reviewed Feb 11, 2025
View reviewed changes
@mas-who mas-who force-pushed the restricted-permissions-images branch from c1901ad to 35102cc Compare February 11, 2025 16:55
edlerd
edlerd approved these changes Feb 11, 2025
View reviewed changes
Copy link
Collaborator

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

code LGTM

@mas-who
Copy link
Contributor Author

mas-who commented Feb 12, 2025

code LGTM

Thanks, are we not going to do QA?

@edlerd
Copy link
Collaborator

edlerd commented Feb 12, 2025

An open issue:
Given a user has "project default image_manager", but not "project default viewer", then we fail to identify if the user has the image creation permission.

@mas-who
Copy link
Contributor Author

mas-who commented Feb 12, 2025

An open issue: Given a user has "project default image_manager", but not "project default viewer", then we fail to identify if the user has the image creation permission.

I believe if the user does not have project default viewer they will not be able to see anything in the UI for project default. This is related to this task.

@edlerd
Copy link
Collaborator

edlerd commented Feb 12, 2025

I believe if the user does not have project default viewer they will not be able to see anything in the UI for project default. This is related to this task.

Interestingly, the image list was visible without the project viewer permission. But the upload image button was disabled, because we fail to figure out the user has that permission.

@mas-who mas-who force-pushed the restricted-permissions-images branch from 35102cc to 42d170c Compare February 12, 2025 14:48
@mas-who
Copy link
Contributor Author

mas-who commented Feb 12, 2025
edited
Loading

I believe if the user does not have project default viewer they will not be able to see anything in the UI for project default. This is related to this task.

Interestingly, the image list was visible without the project viewer permission. But the upload image button was disabled, because we fail to figure out the user has that permission.

I think that's probably because in App.tsx, ImageList is not wrapped with ProjectLoader. It's interesting though, we can fetch images with the all-project query param, so it can be a non-project specific page. Currently, to upload an image, it is dependent on the current project that we have selected. Perhaps the upload image form should have a project selector, that way the list of project options would be governed by project <project> can_view permission. wdyt? Should it be part of this PR?

@mas-who mas-who force-pushed the restricted-permissions-images branch from 42d170c to d3bd0bd Compare February 12, 2025 15:16
@edlerd
Copy link
Collaborator

edlerd commented Feb 12, 2025

I think that's probably because in App.tsx, ImageList is not wrapped with ProjectLoader. It's interesting though, we can fetch images with the all-project query param, so it can be a non-project specific page. Currently, to upload an image, it is dependent on the current project that we have selected. Perhaps the upload image form should have a project selector, that way the list of project options would be governed by project <project> can_view permission. wdyt? Should it be part of this PR?

I wouldn't change it now. I am also not sure if it is the right thing to do. Images are project specific, after all.

The project viewer permission is mandatory to have image permissions correctly applied. Maybe mention it as an issue in the doc you created. I am fine with keeping things as they are now.

edlerd
edlerd previously approved these changes Feb 12, 2025
View reviewed changes
Copy link
Collaborator

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apart from the issue mentioned above, QA LGTM as well.

@mas-who
Copy link
Contributor Author

mas-who commented Feb 12, 2025

I think that's probably because in App.tsx, ImageList is not wrapped with ProjectLoader. It's interesting though, we can fetch images with the all-project query param, so it can be a non-project specific page. Currently, to upload an image, it is dependent on the current project that we have selected. Perhaps the upload image form should have a project selector, that way the list of project options would be governed by project <project> can_view permission. wdyt? Should it be part of this PR?

I wouldn't change it now. I am also not sure if it is the right thing to do. Images are project specific, after all.

The project viewer permission is mandatory to have image permissions correctly applied. Maybe mention it as an issue in the doc you created. I am fine with keeping things as they are now.

Okay sure, when it comes to permissions, I think we may run into a few places where the current UI structure may need to be updated/changed/improved. I've documented the above issue in the sheet for reference.

@mas-who mas-who force-pushed the restricted-permissions-images branch from d3bd0bd to 86b6411 Compare February 12, 2025 17:07
@mas-who mas-who force-pushed the restricted-permissions-images branch from a41476a to 86b6411 Compare February 13, 2025 08:41
@mas-who mas-who force-pushed the restricted-permissions-images branch from e253487 to 277a746 Compare February 13, 2025 08:51
edlerd
edlerd approved these changes Feb 13, 2025
View reviewed changes
Copy link
Collaborator

@edlerd edlerd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@mas-who mas-who merged commit d413e76 into canonical:main Feb 13, 2025
11 checks passed
@mas-who mas-who mentioned this pull request Feb 19, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edlerd edlerd edlerd approved these changes

Assignees
No one assigned
Labels
Review: Code +1 Review: QA +1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mas-who @webteam-app @edlerd @MasWho