[trafficcontrol] branch master updated: Restricted job creation to Portal and above (#3742)

[mitchell852]

This is an automated email from the ASF dual-hosted git repository.

mitchell852 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 2e6a679  Restricted job creation to Portal and above (#3742)
2e6a679 is described below

commit 2e6a6797d55ca28310d0c5eb1be5ec592dcc595f
Author: ocket8888 <ocket8...@gmail.com>
AuthorDate: Tue Jul 30 08:30:57 2019 -0600

    Restricted job creation to Portal and above (#3742)
    
    * Restricted job creation to Portal and above
    
    * Fixed double check for proper Role
    
    * rolled back ineffectual change
    
    * updated version at which endpoint permissions changed
---
 docs/source/api/user_current_jobs.rst | 7 +++++--
 traffic_ops/app/lib/API/Job.pm        | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/docs/source/api/user_current_jobs.rst 
b/docs/source/api/user_current_jobs.rst
index c754fbe..85f37e9 100644
--- a/docs/source/api/user_current_jobs.rst
+++ b/docs/source/api/user_current_jobs.rst
@@ -122,7 +122,11 @@ Creates a new content revalidation job.
 .. Note:: This method forces a HTTP *revalidation* of the content, and not a 
new ``GET`` - the origin needs to support revalidation according to the 
HTTP/1.1 specification, and send a ``200 OK`` or ``304 Not Modified`` HTTP 
response as appropriate.
 
 :Auth. Required: Yes
-:Roles Required: "admin" or "operations"\ [1]_
+:Roles Required: "portal"
+
+       .. versionchanged:: ATCv3.1.0
+               For security reasons, the endpoint was reworked so that 
regardless of tenancy, the "portal" :term:`Role` or higher is required.
+
 :Response Type:  ``undefined``
 
 Request Structure
@@ -186,4 +190,3 @@ Response Structure
                }
        ]}
 
-.. [1] A role is only required if tenancy is not used; if tenancy is used by 
Traffic Control, then the user will be able to create the content revalidation 
job on :term:`Delivery Service`\ s scoped to his or her tenancy regardless of 
role. This means that **even read-only users can create content invalidation 
jobs for :term:`Delivery Service`\ s scoped to their tenancy**. This behavior 
is considered a bug, and it is tracked by `GitHub Issue #3116 
<https://github.com/apache/trafficcontrol [...]
diff --git a/traffic_ops/app/lib/API/Job.pm b/traffic_ops/app/lib/API/Job.pm
index fbd7c4a..e307686 100644
--- a/traffic_ops/app/lib/API/Job.pm
+++ b/traffic_ops/app/lib/API/Job.pm
@@ -154,6 +154,10 @@ sub get_current_user_jobs {
 sub create_current_user_job {
        my $self = shift;
 
+       if (!&is_portal($self)) {
+               return $self->forbidden();
+       }
+
        my $ds_id      = $self->req->json->{dsId};
        my $regex      = $self->req->json->{regex};
        my $ttl        = $self->req->json->{ttl};