[PR #2085/8d6fce2c backport][stable-4.9] Do not include group members…

… when fetching the list of users for a namespace (#2086) Do not include group members when fetching the list of users for a namespace (#2085) * Users in the namespace owners list should not include group members. * Add integration test * Add changelog entry. Issue: AAH-3121 Signed-off-by: James Tanner <tanner.jc@gmail.com> (cherry picked from commit 8d6fce2) Co-authored-by: jctanner <tanner.jc@gmail.com> Co-authored-by: Bruno Rocha <rochacbruno@users.noreply.github.com>
ansible · Mar 4, 2024 · ab37e59 · ab37e59
1 parent 891656c
commit ab37e59
Show file tree

Hide file tree

Showing 3 changed files with 103 additions and 2 deletions.
diff --git a/CHANGES/3121.bugfix b/CHANGES/3121.bugfix
@@ -0,0 +1 @@
+Fixed issue where group members were also showing up as users in the Namespace owners list.
diff --git a/galaxy_ng/app/access_control/mixins.py b/galaxy_ng/app/access_control/mixins.py
@@ -70,7 +70,7 @@ class UserModelPermissionsMixin:
     @property
     def users(self):
         return get_users_with_perms_attached_roles(
-            self, include_model_permissions=False, for_concrete_model=True)
+            self, include_model_permissions=False, for_concrete_model=True, with_group_users=False)
 
     @users.setter
     def users(self, users):
@@ -89,7 +89,7 @@ def _set_users(self, users):
                 obj = self._meta.concrete_model.objects.get(pk=self.pk)
 
             current_users = get_users_with_perms_attached_roles(
-                obj, include_model_permissions=False)
+                obj, include_model_permissions=False, with_group_users=False)
             for user in current_users:
                 for perm in current_users[user]:
                     remove_role(perm, user, obj)

diff --git a/galaxy_ng/tests/integration/api/test_ui_namespace_owners.py b/galaxy_ng/tests/integration/api/test_ui_namespace_owners.py
@@ -0,0 +1,100 @@
+#!/usr/bin/env python3
+
+import copy
+import random
+
+import pytest
+
+from ..utils import UIClient
+
+
+REGEX_403 = r"HTTP Code: 403"
+
+
+@pytest.mark.deployment_standalone
+@pytest.mark.api_ui
+@pytest.mark.min_hub_version("4.9dev")
+def test_api_ui_v1_namespace_owners_users_and_group_separation(ansible_config):
+
+    # https://issues.redhat.com/browse/AAH-3121
+    # Namespace owners should have a list of users that are directly added as owners.
+    # That list of users should -not- include users of groups that have been
+    # added as owners.
+
+    cfg = ansible_config('partner_engineer')
+    with UIClient(config=cfg) as uclient:
+
+        suffix = random.choice(range(0, 1000))
+        group_name = f'group{suffix}'
+        user_name = f'user{suffix}'
+        namespace_name = f'namespace{suffix}'
+
+        # make the group
+        group_resp = uclient.post('_ui/v1/groups/', payload={'name': group_name})
+        assert group_resp.status_code == 201
+        group_ds = group_resp.json()
+
+        # make the user & add it to the group
+        user_resp = uclient.post(
+            '_ui/v1/users/',
+            payload={
+                'username': user_name,
+                'first_name': 'foo',
+                'last_name': 'bar',
+                'email': 'foo@barz.com',
+                'groups': [group_ds],
+                'password': 'abcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()-+',
+                'is_superuser': False
+            }
+        )
+        assert user_resp.status_code == 201
+
+        # make the second user & don't add it to the group
+        user2_name = f'user{suffix}2'
+        user2_resp = uclient.post(
+            '_ui/v1/users/',
+            payload={
+                'username': user2_name,
+                'first_name': 'foo2',
+                'last_name': 'bar2',
+                'email': 'foo2@barz.com',
+                'groups': [],
+                'password': 'abcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()-+',
+                'is_superuser': False
+            }
+        )
+        assert user2_resp.status_code == 201
+        user2_ds = user2_resp.json()
+
+        # Create the namespace ...
+        namespace_resp = uclient.post(
+            '_ui/v1/namespaces/',
+            payload={
+                'name': namespace_name,
+            }
+        )
+        namespace_ds = namespace_resp.json()
+
+        # Add the user and the group to the namespace
+        user2_payload = copy.deepcopy(user2_ds)
+        user2_payload['object_roles'] = ['galaxy.collection_namespace_owner']
+        group_payload = copy.deepcopy(group_ds)
+        group_payload['object_roles'] = ['galaxy.collection_namespace_owner']
+        uclient.put(
+            f'_ui/v1/namespaces/{namespace_name}/',
+            payload={
+                'name': namespace_name,
+                'id': namespace_ds['id'],
+                'pulp_href': namespace_ds['pulp_href'],
+                'users': [user2_payload],
+                'groups': [group_payload],
+            }
+        )
+
+        # Make sure the user list is the group and user2, but not user1 ...
+        new_namespace_resp = uclient.get(f'_ui/v1/namespaces/{namespace_name}/')
+        new_namespace_ds = new_namespace_resp.json()
+        assert len(new_namespace_ds['groups']) == 1, new_namespace_ds['groups']
+        assert len(new_namespace_ds['users']) == 1, new_namespace_ds['users']
+        assert [x['name'] for x in new_namespace_ds['groups']] == [group_name]
+        assert [x['name'] for x in new_namespace_ds['users']] == [user2_name]
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Fixed issue where group members were also showing up as users in the Namespace owners list.