Problem/Motivation

  • An authorized user having no permissions to access any cloud service providers can reach the resource pages via the dropdown menu: “Cloud service providers” → “All” → “AWS resources”
  • Then, “Refresh” button shows up.
  • This “Refresh” button shouldn’t show as the user has no permission to access any cloud service providers.
  • When hitting the “Refresh” button, some success message shows up and no resources show.

Issue fork cloud-3292036

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

baldwinlouie created an issue. See original summary.

baldwinlouie opened merge request !1115

baldwinlouie’s picture

baldwinlouie CreditAttribution: baldwinlouie commented
Status: Active » Needs review

@yas, pull request for this functionality is here. I added a new access checking method called checkAccessForUpdateAll in CloudConfigController. It is generic and can be used for the other cloud service provider modules too.

The new access checking method is defined like such:

   * entity.aws_cloud_transit_gateway.list_update.all:
   *   path: '/clouds/aws_cloud/transit_gateway/update'
   *   defaults:
   *     _controller: '\Drupal\aws_cloud\Controller\Vpc\ApiController::updateAllTransitGatewayList'
   *   requirements:
   *     _custom_access: '\Drupal\cloud\Controller\CloudConfigController::checkAccessForUpdateAll'
   *   options:
   *     entity_type: 'aws_cloud_transit_gateway'
   *     cloud_config_bundle: 'bundle_name'
   *     perm: 'Optional permissions.'

The option entity_type is required. I need it to do the permission checking. I can't find a way to derive that from the Route object passed to checkAccessForUpdateAll(). If entity_type is not passed, the route will return AccessResult::neutral and the button will not show.

The cloud_config_bundle is optional. If it isn't provided, the cloud_config_bundle is derived from the entity_type

The method takes care of checking edit any/edit own entity_type access. If desired, an option perm string can be passed. Those additional permissions are checked as well.

yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented
Issue summary: View changes
Status: Needs review » Needs work

@baldwinlouie

I posted my comments. Could you please check them? Thanks!

baldwinlouie’s picture

baldwinlouie CreditAttribution: baldwinlouie commented
Status: Needs work » Needs review

@yas, I've incorporated your coding suggestions.

yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented
Status: Needs review » Reviewed & tested by the community

@baldwinlouie

Thank you for the update. It looks good to me now. I'll merge the patch to 4.x and 5.x, and close this issue as Fixed.

baldwinlouie’s picture

baldwinlouie CreditAttribution: baldwinlouie commented
Status: Reviewed & tested by the community » Needs review

@yas, I updated this patch slightly. In preparation for adding this check to K8s routes, I needed to support one edge case. For K8s Nodes there is no such thing as edit any/own K8s node.

In that case, I added a new option called bypass_any_own_check to the permission checking. This lets us bypass the standard edit/any/own checking, and just check to see if the user can 1) view the particular cloud service provider, and 2) view k8s node permission only. 

entity.k8s_node.list_update.all:
  path: '/clouds/k8s/node/update'
  defaults:
    _controller: '\Drupal\k8s\Controller\ApiController::updateNodeList'
  requirements:
    _custom_access: '\Drupal\cloud\Controller\CloudConfigController::checkAccessForUpdateAll'
  options:
    bypass_any_own_check: true
    entity_type: 'k8s_node'
    perm: 'view k8s node'
kumikoono’s picture

kumikoono CreditAttribution: kumikoono at DOCOMO Innovations, Inc. commented

@baldwin Thanks for providing this patch. This looks good to me.

yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented
Status: Needs review » Reviewed & tested by the community

@kumikoono

Thank you for your review.

@baldwinlouie

It looks good to me, too. I'll merge the patch to 4.x and 5.x, and close this issue as Fixed.

yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented
Status: Reviewed & tested by the community » Needs work

@baldwinlouie

Could you please rebase the patch? Thanks!

baldwinlouie’s picture

baldwinlouie CreditAttribution: baldwinlouie commented
Status: Needs work » Needs review

@yas, rebased the patch.

yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented

@baldwinlouie

Thank you for rebasing. I'll merge the patch to 4.x and 5.x, and close this issue as Fixed.

  • yas committed c1d3842 on 5.x authored by baldwinlouie 
    Issue #3292036 by baldwinlouie, yas, kumikoono: Remove "Refresh" button...

  • yas committed fddcb8e on 4.x authored by baldwinlouie 
    Issue #3292036 by baldwinlouie, yas, kumikoono: Remove "Refresh" button...
yas’s picture

yas
🇯🇵 he/him
Primary language Japanese
Location California 🇺🇸
CreditAttribution: yas at DOCOMO Innovations, Inc. commented
Status: Needs review » Fixed
baldwinlouie’s picture

baldwinlouie CreditAttribution: baldwinlouie commented
Title: Remove "Refresh" button when the user has no permissions to access any cloud service providers » Remove AWS "Refresh" button when the user has no permissions to access any cloud service providers

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.