From 60cf32031565ed8b4b2a4a39380a060997c9d9e4 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Fri, 19 Mar 2021 15:05:31 +0000 Subject: [PATCH] Don't load user role assignment or groups tabs for non-admins As a non admin user, navigate to Identity -> Users. Then click on the username of your user to go to the detail page. Only the allowed Overview tab is visible. The view shows three tabs: Overview, Role assignments, Groups. Click on either Role assignments or Groups. An error will appear, showing that the API call is unauthorised, and the table content will fail to load. This change fixes the issue by conditionally loading the tabs based on policy. Closes-Bug: #1920214 Change-Id: Ic8b723e6fd423b96a4f5eff54f9392cee534ed9e --- openstack_dashboard/dashboards/identity/users/tabs.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/openstack_dashboard/dashboards/identity/users/tabs.py b/openstack_dashboard/dashboards/identity/users/tabs.py index 30bcd0a3da..fe8fa3ba68 100644 --- a/openstack_dashboard/dashboards/identity/users/tabs.py +++ b/openstack_dashboard/dashboards/identity/users/tabs.py @@ -90,6 +90,10 @@ class RoleAssignmentsTab(tabs.TableTab): template_name = "horizon/common/_detail_table.html" preload = False + def allowed(self, request): + return policy.check((("identity", "identity:list_role_assignments"),), + self.request) + def get_roleassignmentstable_data(self): user = self.tab_group.kwargs['user'] @@ -136,6 +140,10 @@ class GroupsTab(tabs.TableTab): template_name = "horizon/common/_detail_table.html" preload = False + def allowed(self, request): + return policy.check((("identity", "identity:list_groups"),), + self.request) + def get_groupstable_data(self): user_groups = [] user = self.tab_group.kwargs['user']