Re: [opensuse-buildservice] Denying source access?
On Dienstag, 4. Oktober 2016, 18:48:12 CEST wrote Erico Mendonca:
Yes, same error. Looking at the source, I found /srv/www/obs/api/app/helpers/flag_helper.rb.
The check is actually in app/controllers/source_controller.rb def update_package_meta at least when you see the change_package_protection_level error. So, better double-check that your used user has really the Admin role: osc api /person/$used_user
The default flags are declared here, but I found nowhere in the DB where these flags associated with the projects/packages. If I change the default here to “disable”, the source disappers from all projects (obviously), so this is the flag I need to set (and I can’t).
-- — Erico Mendonça Dedicated Support Engineer SUSE
Em 04/10/16 10:52, "Adrian Schröter" <adrian@suse.de<mailto:adrian@suse.de>> escreveu:
On Dienstag, 27. September 2016, 17:02:05 CEST wrote Erico Mendonca: Hello all, I need to restrict source access in a few packages. I found out about the “<sourceaccess><disable/></sourceaccess>” tags, but whenever I try to edit a package, either via the WebUI or via “osc meta pkg -e”, I get a permission error: BuildService API error: change_package_protection_level (403) admin rights are required to raise the protection level of a package. However, I do have all permissions for the package. I even tried as Admin with the same results. Any ideas? This is a private OBS instance running OBS 2.7.2.
Can you try with
osc meta prj -e ...
? Does it show the same error?
--
Adrian Schroeter email: adrian@suse.de<mailto:adrian@suse.de>
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
-- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Em 04/10/16 15:51, "Adrian Schröter" <adrian@suse.de> escreveu:
The check is actually in
app/controllers/source_controller.rb
def update_package_meta
at least when you see the change_package_protection_level error. So, better double-check that your used user has really the Admin role:
osc api /person/$used_user
Both users I tried return <globalrole>Admin</globalrole>, so they should be able to change sourceaccess. -- — Erico Mendonça Dedicated Support Engineer SUSE N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�: �{Zr�az�'z��j)h���Ǜ�)]���Ǿ� ޮ�^�ˬz��
Adrian, I checked and tried with two different users, both with Admin role. One of them was actually the Admin user ☺ Is there any place or API I could use to change this permission? -- — Erico Mendonça Dedicated Support Engineer SUSE Em 04/10/16 15:51, "Adrian Schröter" <adrian@suse.de> escreveu: On Dienstag, 4. Oktober 2016, 18:48:12 CEST wrote Erico Mendonca:
The check is actually in
app/controllers/source_controller.rb
def update_package_meta
at least when you see the change_package_protection_level error. So, better double-check that your used user has really the Admin role:
osc api /person/$used_user
On Donnerstag, 13. Oktober 2016, 16:27:07 CEST wrote Erico Mendonca:
Adrian,
I checked and tried with two different users, both with Admin role. One of them was actually the Admin user ☺
First of all, I would like to remind the reason, why this check is there at all. We can not guarantee that you can't reach the source, because other mechanics, eg links pointing to that package can circumvant this check. So our recommendation is still that you add these tags only on creation time of the package or project. Admins might ignore this, but you need to know the OBS internals to understand if you are safe or not.
Is there any place or API I could use to change this permission?
However, I saw that this code check indeed broke in 2.7 branch due to some refactoring. The fix is here for git master: https://github.com/openSUSE/open-build-service/pull/2232 I will backport it to 2.7 branch once it got merged. However, still not a good idea to use that :) hope this helps anyway adrian
-- — Erico Mendonça Dedicated Support Engineer SUSE
Em 04/10/16 15:51, "Adrian Schröter" <adrian@suse.de> escreveu:
On Dienstag, 4. Oktober 2016, 18:48:12 CEST wrote Erico Mendonca:
The check is actually in
app/controllers/source_controller.rb
def update_package_meta
at least when you see the change_package_protection_level error. So, better double-check that your used user has really the Admin role:
osc api /person/$used_user
-- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Adrian, Em 14/10/16 04:44, "Adrian Schröter" <adrian@suse.de> escreveu:
First of all, I would like to remind the reason, why this check is there at all. We can not guarantee that you can't reach the source, because other mechanics, eg links pointing to that package can circumvant this check.
We know a persistent person will find a way around it, but this should defend from the daily casual user ☺
Admins might ignore this, but you need to know the OBS internals to understand if you are safe or not.
The reason I need to restrict access to the source of one specific Project is because the customer is compiling some proprietary code from a hardware supplier. They didn’t like the fact that the SRPMS were published automatically on the their repository server. Instead of messing with the Publisher, I thought using the sourceaccess tag would be more elegant. Unfortunately, they only asked for this after the Project was already created and populated with a few dozen packages.
Is there any place or API I could use to change this permission?
However, I saw that this code check indeed broke in 2.7 branch due to some refactoring. The fix is here for git master:
Thanks for looking into this! -- — Erico Mendonça Dedicated Support Engineer SUSE Em 04/10/16 15:51, "Adrian Schröter" <adrian@suse.de> escreveu: On Dienstag, 4. Oktober 2016, 18:48:12 CEST wrote Erico Mendonca:
The check is actually in
app/controllers/source_controller.rb
def update_package_meta
at least when you see the change_package_protection_level error. So, better double-check that your used user has really the Admin role:
osc api /person/$used_user
-- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
participants (2)
-
Adrian Schröter -
Erico Mendonca