From d3ca1ca16880fa3f79e6d13c44d88d663e356fec Mon Sep 17 00:00:00 2001 From: Gilbert Cherrie Date: Thu, 23 Nov 2023 14:08:42 -0500 Subject: [PATCH] Fix settings permissions --- app/controllers/configuration_controller.rb | 28 ++++++++----------- .../components/visual-settings-form/index.jsx | 21 ++++++++------ app/views/configuration/show.html.haml | 2 +- 3 files changed, 26 insertions(+), 25 deletions(-) diff --git a/app/controllers/configuration_controller.rb b/app/controllers/configuration_controller.rb index a00d5fb190b..91d9902bfcc 100644 --- a/app/controllers/configuration_controller.rb +++ b/app/controllers/configuration_controller.rb @@ -21,15 +21,9 @@ def title def index assert_privileges('my_settings_view') + @change_settings = role_allows?(:feature => 'my_settings_visuals', :any => true) @breadcrumbs = [] - active_tab = nil - if role_allows?(:feature => "my_settings_visuals") - active_tab = 1 if active_tab.nil? - elsif role_allows?(:feature => "my_settings_default_filters") - active_tab = 3 if active_tab.nil? - elsif role_allows?(:feature => "my_settings_time_profiles") - active_tab = 4 if active_tab.nil? - end + active_tab = 1 @tabform = params[:load_edit_err] ? @tabform : "ui_#{active_tab}" edit render :action => "show" @@ -70,7 +64,8 @@ def edit # New tab was pressed def change_tab - assert_privileges('my_settings_admin') + assert_privileges('my_settings_view') + @change_settings = role_allows?(:feature => 'my_settings_visuals') @tabform = "ui_" + params['uib-tab'] if params['uib-tab'] != "5" edit render :action => "show" @@ -151,6 +146,7 @@ def update # Show the users list def show_timeprofiles + assert_privileges('my_settings_view') build_tabs if params[:action] == "change_tab" || %w[cancel add save].include?(params[:button]) @timeprofiles = if report_admin_user? TimeProfile.in_my_region.ordered_by_desc @@ -213,7 +209,7 @@ def get_hr_str(hr) end def timeprofile_new - assert_privileges("timeprofile_new") + assert_privileges("my_settings_time_profiles") @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze @timeprofile = TimeProfile.new @timeprofile_action = "timeprofile_new" @@ -225,7 +221,7 @@ def timeprofile_new end def timeprofile_edit - assert_privileges("tp_edit") + assert_privileges("my_settings_time_profiles") @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze @timeprofile = TimeProfile.find(params[:id]) @timeprofile_action = "timeprofile_edit" @@ -249,7 +245,7 @@ def timeprofile_edit # Delete all selected or single displayed VM(s) def timeprofile_delete - assert_privileges("tp_delete") + assert_privileges("my_settings_time_profiles") timeprofiles = [] unless params[:id] # showing a list, scan all selected timeprofiles timeprofiles = find_checked_items @@ -278,7 +274,7 @@ def timeprofile_delete end def timeprofile_copy - assert_privileges("tp_copy") + assert_privileges("my_settings_time_profiles") session[:set_copy] = "copy" @all_timezones = ActiveSupport::TimeZone.all.collect { |tz| ["(GMT#{tz.formatted_offset}) #{tz.name}", tz.name] }.freeze @in_a_form = true @@ -381,9 +377,9 @@ def build_tabs @active_tab = @tabform.split("_").last @tabs = [] - @tabs.push(["1", _("Visual")]) if role_allows?(:feature => "my_settings_visuals") - @tabs.push(["3", _("Default Filters")]) if role_allows?(:feature => "my_settings_default_filters") - @tabs.push(["4", _("Time Profiles")]) if role_allows?(:feature => "my_settings_time_profiles") + @tabs.push(["1", _("Visual")]) + @tabs.push(["3", _("Default Filters")]) + @tabs.push(["4", _("Time Profiles")]) end def merge_in_user_settings(settings) diff --git a/app/javascript/components/visual-settings-form/index.jsx b/app/javascript/components/visual-settings-form/index.jsx index cc2f3e3c67c..309cda5723c 100644 --- a/app/javascript/components/visual-settings-form/index.jsx +++ b/app/javascript/components/visual-settings-form/index.jsx @@ -4,7 +4,7 @@ import PropTypes from 'prop-types'; import MiqFormRenderer from '@@ddf'; import createSchema from './visual-settings-form.schema'; -const VisualSettingsForm = ({ recordId }) => { +const VisualSettingsForm = ({ recordId, changeSettings }) => { const [{ initialValues, timezoneOptions, isLoading }, setState] = useState({ isLoading: true }); useEffect(() => { @@ -24,13 +24,17 @@ const VisualSettingsForm = ({ recordId }) => { }, [recordId]); const onSubmit = (settings) => { - settings.perpage.list = parseInt(settings.perpage.list, 10); - settings.perpage.reports = parseInt(settings.perpage.reports, 10); - miqSparkleOn(); - API.patch(`/api/users/${recordId}`, { settings }).then(() => { - window.location.reload(); - add_flash(__('User Interface settings saved'), 'success'); - }).catch(miqSparkleOff); + if (changeSettings) { + settings.perpage.list = parseInt(settings.perpage.list, 10); + settings.perpage.reports = parseInt(settings.perpage.reports, 10); + miqSparkleOn(); + API.patch(`/api/users/${recordId}`, { settings }).then(() => { + window.location.reload(); + add_flash(__('User Interface settings saved'), 'success'); + }).catch(miqSparkleOff); + } else { + add_flash(__('The user is not authorized for this task or item.'), 'error'); + } }; return !isLoading && ( @@ -45,6 +49,7 @@ const VisualSettingsForm = ({ recordId }) => { VisualSettingsForm.propTypes = { recordId: PropTypes.string.isRequired, + changeSettings: PropTypes.bool.isRequired, }; export default VisualSettingsForm; diff --git a/app/views/configuration/show.html.haml b/app/views/configuration/show.html.haml index ae8dfbf35c2..e522ea75808 100644 --- a/app/views/configuration/show.html.haml +++ b/app/views/configuration/show.html.haml @@ -3,7 +3,7 @@ - when 'ui_1' %div{:id => @tabs[0][1], 'role' => 'tabpanel', 'aria-labelledby' =>"#{@tabs[0][1]}_tab"} = render :partial => "layouts/flash_msg" - = react 'VisualSettingsForm', :recordId => current_user.id.to_s + = react 'VisualSettingsForm', {:recordId => current_user.id.to_s, :changeSettings => @change_settings} - when 'ui_3' = render :partial => 'ui_3' - when 'ui_4'