Hello everyone, I am working on https://bugzilla.redhat.com/show_bug.cgi?id=878812 bug so I played a bit with the code to understand how permission system works and noticed few things (please correct me if I am wrong): - In order to login to admin portal user need to have one of the admin roles (role_type = 1) - system tree is built using number of queries - before running each query permission validation happens so the code checks whether the user is able to run a query - I noticed that none of the queries required to build system tree is admin query and validation depends on result of getUser().isAdmin() (Please check http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java;h=42b4985830033579802c278a6bae932cf0ffa3c7;hb=refs/heads/master line 123). This statement is always true for a user which was able to log in to admin portal.
I was able to come up with following ways to solve this issue (please help to find the good enough): - fix verification - filter results of query - change a bit permission model. The structure is quite flat (there are only 2 role_types) or we could go with containers as it was proposed in bug description. Thanks, Piotr _______________________________________________ Engine-devel mailing list Engine-devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-devel
