Fix the UI to correctly determine if a user has access to a resource #9473
Conversation
|
Issue #5430. FYI @russjones, this fixes the bug we talked about yesterday. |
|
Friendly ping @jimbishopp @timothyb89? We want to get this out for 8.1, so I wanted to merge before I'm out for recess, if possible. |
codingllama
force-pushed
the
codingllama/session-ui-view
branch
from
e944b86 to
030bfb1
Compare
|
I see what this is going for, but it definitely feels a bit brittle and easy to misuse... IIUC the problem we are trying to solve here is that not all variables are in-scope at this level to evaluate the where clause correctly, yeah? I'm wondering if it would be possible to handle that specific case, rather than evaluate all of these expressions to true/false. I.e. is it possible to distinguish between a where clause that actually doesn't match, and a where clause for which a match is not decidable? I haven't looked at the internals of the where parser in a long time, so maybe that isn't a reasonable ask. Definitely worth looking into it though. If it is possible to differentiate between where clauses that can't be evaluated versus those that fail, then I'd prefer that we implement a function which returns an enum (e.g. Regardless of whether or not the above is possible/practical, lets rename this method to something that really screams "not a valid RBAC check" (e.g. |
|
Thanks for the feedback, @fspmarshall. Let's start with the easy part: I like the rename and it seems a good way forward, so I'll go ahead and apply that. I'm not looking forward to adding a 3rd possible response to CheckAccessToRule, the knock-on effect in Teleport seems worse than the new method, plus our Parser and Predicate concepts aren't really built for 3-state responses. WDYT? Could we move forward with the new naming? (tagging @russjones) |
codingllama
force-pushed
the
codingllama/session-ui-view
branch
from
030bfb1 to
1bbfe27
Compare
|
Friendly ping to reviewers? |
|
Thanks everyone. |
codingllama
force-pushed
the
codingllama/session-ui-view
branch
from
1bbfe27 to
f759440
Compare
Fixes bug where the "Session Recordings" menu doesn't show for users with where-based roles.
codingllama
force-pushed
the
codingllama/session-ui-view
branch
from
f759440 to
2f8b327
Compare
…9473) Introduce the GuessIfAccessIsPossible method, so callers may verify if a user has access to a category of resources, instead of access to a specific resource. Fixes a bug where the "Session Recordings" menu doesn't show for users with where-based roles.
Introduce the GuessIfAccessIsPossible method, so callers may verify if a user has access to a category of resources, instead of access to a specific resource.
Fixes a bug where the "Session Recordings" menu doesn't show for users with where-based roles.