Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove unnecessary MANAGE_ORGANIZATIONS check #887

Merged
merged 2 commits into from
Dec 4, 2023
Merged

Remove unnecessary MANAGE_ORGANIZATIONS check #887

merged 2 commits into from
Dec 4, 2023

Conversation

dlpzx
Copy link
Contributor

@dlpzx dlpzx commented Nov 21, 2023

Feature or Bugfix

  • Bugfix

Detail

  • Remove unnecessary permission check in list environments in the organization

Relates

Security

Please answer the questions below briefly where applicable, or write N/A. Based on
OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes
    fetching data from storage outside the application (e.g. a database, an S3 bucket)?
    • Is the input sanitized?
    • What precautions are you taking before deserializing the data you consume?
    • Is injection prevented by parametrizing queries?
    • Have you ensured no eval or similar functions are used?
  • Does this PR introduce any functionality or component that requires authorization?
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms?
    • Are you logging failed auth attempts?
  • Are you using or adding any cryptographic features?
    • Do you use a standard proven implementations?
    • Are the used keys controlled by the customer? Where are they stored?
  • Are you introducing any new policies/roles/users?
    • Have you used the least-privilege principle? How?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@noah-paige
Copy link
Contributor

Tested in AWS that a user (UserA) in a group with no MANAGE_ORGANIZATIONS tenant permission is able to see environments tab for the organization they are apart of. A couple of considerations,

  1. UserA can see ALL environments that are linked to the organization (not just the ones they created as env Admins)
  • do we want to filter to only show the environments that a user in envAdmin for?
  • we would also have to keep a query that shows all environments linked to an org (i.e. the creator of the organization should be able to see all environments linked to their org)
  1. UserA can not view any of the teams that are a part of the organization since we still include @has_tenant_permission(permissions.MANAGE_ORGANIZATIONS) checks on listing the organization groups. I think this is okay but wanted to call it out if the intention is to allow GETS/reads on the organization information without the need for MANAGE_ORGANIZATIONS tenant permission

@dlpzx dlpzx marked this pull request as ready for review November 23, 2023 08:49
@dlpzx
Copy link
Contributor Author

dlpzx commented Nov 23, 2023

  1. In my opinion if you are part of the Organization it is good to see which other environments belong to it. Seeing it from a user perspective, it can lead to collaboration between teams working in separate environments. Something like "we are aware that the X department has linked their account to data.all"
  2. Very similar, seeing other teams in your organization increases the visibility of teams across the enterprise. I think we should change it. What do you think?

@noah-paige
Copy link
Contributor

  1. In my opinion if you are part of the Organization it is good to see which other environments belong to it. Seeing it from a user perspective, it can lead to collaboration between teams working in separate environments. Something like "we are aware that the X department has linked their account to data.all"

    1. Very similar, seeing other teams in your organization increases the visibility of teams across the enterprise. I think we should change it. What do you think?

@dlpzx I do not see any major issues with a team that is part of an organization being able to see what other environments or teams are a part of the larger organization (obviously while ensuring no permissions allowing any other create, update, delete actions on teams/envs they are not a part of)

I think following the same structure with Org-Teams the way we are fixing now for Org-Environments tab make sense, but @zsaltys what are your thoughts on this? Do you see any risks here?

@dlpzx
Copy link
Contributor Author

dlpzx commented Nov 27, 2023

Hi @noah-paige I have made the changes and added a clean-up of an unused method

@noah-paige
Copy link
Contributor

Hi @noah-paige I have made the changes and added a clean-up of an unused method

@dlpzx - have you pushed the changes? I only see the 1 line changed still

@fourtyplustwo
Copy link
Contributor

@noah-paige @dlpzx

  1. If you are part of an env admin team and you're invited into an organization then the other reasonable option would to see only environments which you created or your team is invited to. However seeing all environments is also OK and I do see value in being able to see which other environments are linked in your organization. The change is OK.

  2. I think same answer as above. One reasonable option would be to see only teams you are part of and the other is to see all of them if you're part of the organization. To see all teams is OK.

Overall I think these changes are an improvement over previous behavior and we can improve it further if needed.

@dlpzx dlpzx merged commit 1f28d8e into main Dec 4, 2023
8 checks passed
@dlpzx dlpzx deleted the fix/permission-check-manage-organizations branch December 18, 2023 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikpodsh nikpodsh nikpodsh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dlpzx @noah-paige @fourtyplustwo @nikpodsh