Skip to content

[feature] Allowed read only access of shared objects to non-superusers #238 #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[feature] Allowed read only access of shared objects to non-superusers #238 #444

wants to merge 6 commits into from

Conversation

@pandafy
Copy link
Member

@pandafy pandafy commented May 7, 2025
edited
Loading

Checklist

  • I have read the OpenWISP Contributing Guidelines.
  • I have manually tested the changes proposed in this pull request.
  • I have written new test cases for new code and/or updated existing tests for changes to existing code.
  • I have updated the documentation.

Reference to Existing Issue

Closes #238

TODOS
-[x] DRF integration
-[x] Tests

@coveralls
Copy link

coveralls commented May 7, 2025
edited
Loading

Coverage Status

coverage: 97.405% (-0.5%) from 97.888%
when pulling 9341c7f on issues/238-view-shared-objects
into a34c334 on master.

@pandafy pandafy force-pushed the issues/238-view-shared-objects branch 3 times, most recently from 0929c13 to 80511df Compare May 9, 2025 17:37
@pandafy pandafy mentioned this pull request May 9, 2025
Open
5 tasks
@pandafy pandafy marked this pull request as ready for review May 9, 2025 17:53
@pandafy pandafy force-pushed the issues/238-view-shared-objects branch 2 times, most recently from e72b20e to c1da85c Compare May 26, 2025 19:01
nemesifier
nemesifier reviewed May 26, 2025
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't performed manual testing yet, I should be able to do this tomorrow.
In the meantime I have looked at the code and left some comments below.

I also noticed two more important points:

  1. Docs: the documentation has a section dedicated to shared objects, I think it's worth to update the text to reflect the functionality achieved in this PR.
  2. DRF 1.6: did you address this point which is listed in the issue description?

tests/testapp/tests/test_selenium.py Outdated
def test_organization_autocomplete_filter(self):
"""
The autocomplete_filter should show option to filter
shared objects to non-superuser.
Copy link
Member

@nemesifier nemesifier May 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure I fully understand this docstring/comment: should the option to filter shared objects appear only to users who have the is_superuser flag set to False? Or what does this text mean exactly? Let's make it unambiguous.

pandafy
pandafy commented May 27, 2025
View reviewed changes
requirements.txt
django-phonenumber-field~=8.1.0
phonenumbers~=9.0.4
openwisp-utils[rest,celery] @ https://github.com/openwisp/openwisp-utils/tarball/1.2
openwisp-utils[rest,celery] @ https://github.com/openwisp/openwisp-utils/tarball/bump-drf
Copy link
Member Author

@pandafy pandafy May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: Revert this before merging

Copy link
Member

@nemesifier nemesifier May 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

nemesifier
nemesifier reviewed May 27, 2025
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is what I found during testing in openwisp-controller:
openwisp/openwisp-controller#1024 (review)

We'll also need a way to protect some sensitive fields like credentials parameters, can you create a subissue for this and link it to the parent issue please? We should work on that as soon as this PR is ready.

@pandafy pandafy changed the title [feature] Allowed ready only access of shared objects to non-superusers #238 [feature] Allowed read only access of shared objects to non-superusers #238 May 28, 2025
@pandafy pandafy mentioned this pull request May 28, 2025
Open
@pandafy pandafy moved this from To do (general) to Needs review in OpenWISP Contributor's Board May 28, 2025
@pandafy pandafy moved this from In progress to Ready for review/testing in OpenWISP Priorities for next releases May 28, 2025
nemesifier
nemesifier reviewed May 28, 2025
View reviewed changes
docs/user/basic-concepts.rst Outdated
objects. However, they can use these shared objects when creating related
organization-specific resources. E.g., an organization manager can use a
shared VPN server to create a configuration template for their
organization.
Copy link
Member

@nemesifier nemesifier May 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's mention this works both in admin and REST API, let's mention that non superusers may be prevented to viewing sensitive details of certain shared objects which would allow them to gain unauthorized access to resources used by other organizations.

nemesifier
nemesifier reviewed May 29, 2025
View reviewed changes
Copy link
Member

@nemesifier nemesifier left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Let's squash the commits into 1 so we can then add new commits on this branch for the follow up issues. Let's not merge this yet to avoid introducing potential security issues in the development version.

@pandafy pandafy force-pushed the issues/238-view-shared-objects branch from fd88b21 to 4c181e0 Compare May 29, 2025 16:31
@pandafy pandafy force-pushed the issues/238-view-shared-objects branch from 4c181e0 to 65c6b17 Compare July 4, 2025 12:15
@pandafy pandafy force-pushed the issues/238-view-shared-objects branch from b1a8dc9 to e81b36f Compare July 8, 2025 19:37
@pandafy pandafy force-pushed the issues/238-view-shared-objects branch from e81b36f to f348ee4 Compare July 8, 2025 19:53
pandafy
pandafy commented Jul 8, 2025
View reviewed changes
openwisp_users/api/mixins.py Outdated
Comment on lines 210 to 212
and not request.user.is_superuser
and "organization" in obj
and obj["organization"] is None
Copy link
Member Author

@pandafy pandafy Jul 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WIP: The organization field will be made configurable.

@pandafy pandafy mentioned this pull request Jul 9, 2025
Open
5 tasks
@nemesifier nemesifier moved this to In progress in 25.09 Release Sep 3, 2025
@nemesifier nemesifier moved this from In progress to Ready for review/testing in 25.09 Release Sep 3, 2025
@nemesifier nemesifier moved this from Ready for review/testing to Backlog in 25.09 Release Sep 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nemesifier nemesifier nemesifier left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@pandafy pandafy

Labels

enhancement

Projects

25.09 Release
Status: Backlog
OpenWISP Contributor's Board
Status: Needs review
OpenWISP Priorities for next releases
Status: Ready for review/testing

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[feature] Allow viewing shared objects by non superadministrators as view only

4 participants

@pandafy @coveralls @nemesifier