[opensuse-buildservice] [PATCH] Unable to delete user via API
Hi, If you try to delete a user from the api (Rails app), you will get a message saying: "You sent an invalid request!" After looking at api/app/controllers/active_rbac/user_controller.rb, I found that you can only POST to destroy and can only GET on delete. So here's another trivial patch that allows deletion of users from the Rails app. Srinidhi. diff --git a/src/api/app/views/active_rbac/user/delete.rhtml b/src/api/app/views/active_rbac/user/delete.rhtml index 90025b2..cf6b983 100644 --- a/src/api/app/views/active_rbac/user/delete.rhtml +++ b/src/api/app/views/active_rbac/user/delete.rhtml @@ -7,7 +7,7 @@ depending on this user (articles, for example). <strong>This action cannot be reverted!</strong> </p> -<% form_for :group, :url => { :action => :delete, :id => @user } do |form| %> +<% form_for :group, :url => { :action => :destroy, :id => @user } do |form| %> <%= submit_tag 'Yes', :name => 'yes' %> <%= submit_tag 'No', :name => 'no' %> -<% end %> \ No newline at end of file +<% end %> -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi, On 2010-08-08 13:38:45 -0600, Srinidhi B wrote:
If you try to delete a user from the api (Rails app), you will get a message saying:
"You sent an invalid request!"
After looking at api/app/controllers/active_rbac/user_controller.rb, I found that you can only POST to destroy and can only GET on delete.
So here's another trivial patch that allows deletion of users from the Rails app.
User deletion doesn't "work" at the moment. The issue with this patch is that the "destroy" method just removes the user from the database and doesn't update the project/package metadata relations => the db is an "inconsistent" state. Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Monday, 09 August, 2010 at 01:34 AM, Marcus Hüwe
wrote: Hi, On 2010-08-08 13:38:45 -0600, Srinidhi B wrote:
If you try to delete a user from the api (Rails app), you will get a message saying:
"You sent an invalid request!"
After looking at api/app/controllers/active_rbac/user_controller.rb, I found that you can only POST to destroy and can only GET on delete.
So here's another trivial patch that allows deletion of users from the Rails app.
User deletion doesn't "work" at the moment. The issue with this patch is that the "destroy" method just removes the user from the database and doesn't update the project/package metadata relations => the db is an "inconsistent" state.
Ah okay! I understand. I ensured that I deleted those user's home projects before deleting the user - and I knew that those users weren't part of any other projects / packages. :) So, the correct fix would be to update all projects / packages to which this user belongs and only then delete the user from the db? Or should there be some more checks? Srinidhi. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2010-08-08 14:15:41 -0600, Srinidhi B wrote:
On Monday, 09 August, 2010 at 01:34 AM, Marcus Hüwe
wrote: Hi, On 2010-08-08 13:38:45 -0600, Srinidhi B wrote:
If you try to delete a user from the api (Rails app), you will get a message saying:
"You sent an invalid request!"
After looking at api/app/controllers/active_rbac/user_controller.rb, I found that you can only POST to destroy and can only GET on delete.
So here's another trivial patch that allows deletion of users from the Rails app.
User deletion doesn't "work" at the moment. The issue with this patch is that the "destroy" method just removes the user from the database and doesn't update the project/package metadata relations => the db is an "inconsistent" state.
Ah okay! I understand. I ensured that I deleted those user's home projects before deleting the user - and I knew that those users weren't part of any other projects / packages. :)
So, the correct fix would be to update all projects / packages to which this user belongs and only then delete the user from the db? Or should there be some more checks?
Hmm yes + the groups_users table. Additionally the backend needs to be informed too otherwise the user would still be in the project/package metadata. Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Sunday 08 August 2010 22:30:30 Marcus Hüwe wrote:
On 2010-08-08 14:15:41 -0600, Srinidhi B wrote:
On Monday, 09 August, 2010 at 01:34 AM, Marcus Hüwe
wrote: Hi, On 2010-08-08 13:38:45 -0600, Srinidhi B wrote:
If you try to delete a user from the api (Rails app), you will get a message saying:
"You sent an invalid request!"
After looking at api/app/controllers/active_rbac/user_controller.rb, I found that you can only POST to destroy and can only GET on delete.
So here's another trivial patch that allows deletion of users from the Rails app.
User deletion doesn't "work" at the moment. The issue with this patch is that the "destroy" method just removes the user from the database and doesn't update the project/package metadata relations => the db is an "inconsistent" state.
Ah okay! I understand. I ensured that I deleted those user's home projects before deleting the user - and I knew that those users weren't part of any other projects / packages. :)
So, the correct fix would be to update all projects / packages to which this user belongs and only then delete the user from the db? Or should there be some more checks?
Hmm yes + the groups_users table. Additionally the backend needs to be informed too otherwise the user would still be in the project/package metadata.
Yes, actually I would like to remove the "delete user" functionality at all. It can only create trouble and even permission/secrurity problems later. Or we modify the function to lock the user. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2010-08-10 11:56:49 +0200, Adrian Schröter wrote:
On Sunday 08 August 2010 22:30:30 Marcus Hüwe wrote:
On 2010-08-08 14:15:41 -0600, Srinidhi B wrote:
<SNIP>
So, the correct fix would be to update all projects / packages to which this user belongs and only then delete the user from the db? Or should there be some more checks?
Hmm yes + the groups_users table. Additionally the backend needs to be informed too otherwise the user would still be in the project/package metadata.
Yes, actually I would like to remove the "delete user" functionality at all. It can only create trouble and even permission/secrurity problems later.
On the one hand it might cause a lot of problems if it's not implemented correctly but on the other hand this is a "crucial" functionality IMHO. So we would need a concept which solves (or avoids) all the issues...
Or we modify the function to lock the user.
Locking would be a nice additional feature:) Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tuesday 10 August 2010 14:53:35 Marcus Hüwe wrote:
On 2010-08-10 11:56:49 +0200, Adrian Schröter wrote:
On Sunday 08 August 2010 22:30:30 Marcus Hüwe wrote:
On 2010-08-08 14:15:41 -0600, Srinidhi B wrote:
<SNIP>
So, the correct fix would be to update all projects / packages to which this user belongs and only then delete the user from the db? Or should there be some more checks?
Hmm yes + the groups_users table. Additionally the backend needs to be informed too otherwise the user would still be in the project/package metadata.
Yes, actually I would like to remove the "delete user" functionality at all. It can only create trouble and even permission/secrurity problems later.
On the one hand it might cause a lot of problems if it's not implemented correctly but on the other hand this is a "crucial" functionality IMHO. So we would need a concept which solves (or avoids) all the issues...
I am not aware of issues on the OBS actually (backend is not doing anything with the user lists). But if you use OBS as central database for your user accounts you may run into problems with other infrastructure. Or with remote OBS instances if we add more OBS interconnect functionality. Okay, it is an Admin-only option in the end, so the admin should know what he is doing ...
Or we modify the function to lock the user.
Locking would be a nice additional feature:)
Locking exists already ;) -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Adrian Schröter
-
Marcus Hüwe
-
Srinidhi B