-
Notifications
You must be signed in to change notification settings - Fork 119
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
actually enforce that Guardian users have at grid_access
permission
#4271
Conversation
b072703
to
273406a
Compare
42c0be5
to
6e9210b
Compare
273406a
to
4920a69
Compare
…groundwork done in the logging PR #4270
4920a69
to
1972c7d
Compare
grid_access
permission
In #4270 we logged both whether the user accessing has CC @andrew-nowak given #4270 (review) |
@@ -31,6 +31,5 @@ trait AuthorisationProvider extends Provider { | |||
*/ | |||
def hasPermissionTo(permission: SimplePermission, principal: Principal): Boolean | |||
|
|||
def hasBasicAccessExplicitly(userEmail: String): Boolean = false // default implementation | |||
def hasAtLeastBasicAccess(userEmail: String): Boolean = true // default implementation | |||
def hasBasicAccess(userEmail: String): Boolean = true // default implementation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would make sense to leave this unimplemented with a comment; it should be easy (one-line change) for other (existing or new) organisations to override with true
in their implementations if they don't want to do authorisation checks while still making it an explicit decision (and less chance of accidentally leaving open unintentionally)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm I did think about that, but didn't want the hassle/delay from other orgs implementing to delay this, after talking with you @andrew-nowak in person, I'll make the breaking change (which requires other orgs to implement in their plugged-in auth code) in a follow-up PR so I can merge this one now...
Seen on auth, usage, image-loader, metadata-editor, thrall, leases, cropper, collections, media-api, kahuna (merged by @twrichards 8 minutes and 33 seconds ago) Please check your changes! |
#4270 added logging for users without any permission whilst we can get everybody's permissions in good shape.
What does this change?
This makes use of the
hasAnyGridPermission
val we created in #4270 for the result of thevalidateUser
function. We alsooverride
theshowUnauthedMessage
function to return a more useful 403 response...NOTE: as with #4270 this should be no-op for other organisations using Grid (since they'll be plugging their own
AuthorisationProvider
or relying on the default implementation of the key functionhasBasicAccess
which returns true).How should a reviewer test this change?
Assuming https://github.com/guardian/permissions/pull/186 is deployed to CODE then deploy this branch to TEST main (or run locally) and experiment accessing grid with and without some form of grid permission (incl. new
grid_access
permission), observe the logs and you should see something like the image above.How can success be measured?
adhering better to our security principles guardian/recommendations@b4746d4/README.md#security-principles
Who should look at this?
@guardian/digital-cms @guardian/newsroom-resilience @RichardLe @AndyKilmory @Conalb97
Tested? Documented?