Merge pull request ManageIQ#1230 from Fryguy/let_user_see_themselves

Allow the user to list and see themselves even without rbac_user_show
jrafanie · Nov 14, 2023 · cc89506 · cc89506
2 parents bc6ce5a + b695962
commit cc89506
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 7 deletions.
diff --git a/app/controllers/api/users_controller.rb b/app/controllers/api/users_controller.rb
@@ -7,11 +7,23 @@ class UsersController < BaseController
     include Subcollections::CustomButtonEvents
     include Subcollections::Tags
 
-    skip_before_action :validate_api_action, :only => :update
+    skip_before_action :validate_api_action, :only => [:index, :show, :update]
+
+    def index # rubocop:disable Lint/UselessMethodDefinition
+      # Rails style guide and Rubocop suggest this method to be lexically redefined since we are skipping validate_api_action
+      # See https://rails.rubystyle.guide/#lexically-scoped-action-filter
+      #     https://docs.rubocop.org/rubocop-rails/cops_rails.html#railslexicallyscopedactionfilter
+      super
+    end
+
+    def show
+      validate_api_action unless target_is_api_user?
+      super
+    end
 
     def update
       aname = @req.action
-      if aname == "edit" && !api_user_role_allows?(aname) && update_target_is_api_user?
+      if aname == "edit" && !api_user_role_allows?(aname) && target_is_api_user?
         if (Array(@req.resource.try(:keys)) - EDITABLE_ATTRS).present?
           raise BadRequestError,
                 "Cannot update attributes other than #{EDITABLE_ATTRS.join(', ')} for the authenticated user"
@@ -90,7 +102,7 @@ def target_user(id, type)
       end
     end
 
-    def update_target_is_api_user?
+    def target_is_api_user?
       User.current_user.id == @req.collection_id.to_i
     end
 

diff --git a/config/api.yml b/config/api.yml
@@ -4562,7 +4562,9 @@
         :identifier: tp_delete
   :users:
     :description: Users
-    :identifier: rbac_user
+    :identifier:
+    - rbac_user
+    - my_settings_view
     :options:
     - :collection
     - :custom_actions
@@ -4575,10 +4577,14 @@
     :collection_actions:
       :get:
       - :name: read
-        :identifier: rbac_user_show_list
+        :identifier:
+        - rbac_user_show_list
+        - my_settings_view
       :post:
       - :name: query
-        :identifier: rbac_user_show_list
+        :identifier:
+        - rbac_user_show_list
+        - my_settings_view
       - :name: create
         :identifier: rbac_user_add
       - :name: edit
@@ -4593,7 +4599,9 @@
     :resource_actions:
       :get:
       - :name: read
-        :identifier: rbac_user_show
+        :identifier:
+        - rbac_user_show
+        - my_settings_view
       :post:
       - :name: edit
         :identifier: rbac_user_edit