Fixed job route permission (#7891)

* Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers * Removed required permission `DELIVERY-SERVICE:READ` from the job routes in v4 and v5. --------- Co-authored-by: Michie, Kurtis <[email protected]>
apache · Dec 20, 2023 · c0ebe87 · c0ebe87
1 parent 63c6471
commit c0ebe87
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -15,7 +15,6 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 
 ### Fixed
 - [#7846](https://github.com/apache/trafficcontrol/pull/7846) *Traffic Portal* Increase State character limit
-- [#7887](https://github.com/apache/trafficcontrol/pull/7887) *Traffic Ops* Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN
 
 ## [8.0.0] - 2023-09-20
 ### Added
@@ -99,7 +98,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - [#7814](https://github.com/apache/trafficcontrol/issues/7814) All Go components: Updated the module path to [`github.com/apache/trafficcontrol/v8`](https://pkg.go.dev/github.com/apache/trafficcontrol/v8). Module https://pkg.go.dev/github.com/apache/trafficcontrol will not receive further updates.
 
 ### Fixed
+- [#7891](https://github.com/apache/trafficcontrol/pull/7891) *Traffic Ops*: Created clause to distinguish api versions < 5 when handling 403 in middleware wrappers and updated job routes for v4 and v5
 - [#7890](https://github.com/apache/trafficcontrol/pull/7890) *Traffic Ops*: Fixed missing changelog entries to v5 routes.
+- [#7887](https://github.com/apache/trafficcontrol/pull/7887) *Traffic Ops*: Limit Delivery Services returned for GET /servers/{id}/deliveryservices to ones in the same CDN
 - [#7885](https://github.com/apache/trafficcontrol/pull/7885) *Traffic Portal*: Fixed the issue where Compare Profiles page was not being displayed.
 - [#7879](https://github.com/apache/trafficcontrol/7879) *Traffic Ops, Traffic Portal*: Fixed broken capability links for delivery service and added required capability as a column in DS table.
 - [#7878](https://github.com/apache/trafficcontrol/pull/7878) *Traffic Ops, Traffic Portal*: Fixed the case where TO was failing to assign delivery services to a server, due to a bug in the way the list of preexisting delivery services was being returned.

diff --git a/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go b/traffic_ops/traffic_ops_golang/routing/middleware/wrappers.go
@@ -120,9 +120,11 @@ func (a AuthBase) GetWrapper(privLevelRequired int) Middleware {
 					return
 				}
 			} else {
-				if !cfg.RoleBasedPermissions && user.PrivLevel < privLevelRequired {
-					api.HandleErr(w, r, nil, http.StatusForbidden, errors.New("Forbidden."), nil)
-					return
+				if v.Major < 5 {
+					if !cfg.RoleBasedPermissions && user.PrivLevel < privLevelRequired {
+						api.HandleErr(w, r, nil, http.StatusForbidden, errors.New("Forbidden."), nil)
+						return
+					}
 				}
 			}
 			api.AddUserToReq(r, user)

diff --git a/traffic_ops/traffic_ops_golang/routing/routes.go b/traffic_ops/traffic_ops_golang/routing/routes.go
@@ -224,9 +224,9 @@ func Routes(d ServerData) ([]Route, http.Handler, error) {
 
 		//Content invalidation jobs
 		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodGet, Path: `jobs/?$`, Handler: api.ReadHandler(&invalidationjobs.InvalidationJobV4{}), RequiredPrivLevel: auth.PrivLevelReadOnly, RequiredPermissions: []string{"JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 496678204131},
-		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:UPDATE", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 41678077631},
-		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "DELIVERY-SERVICE:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 48613422631},
-		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ", "DELIVERY-SERVICE:UPDATE"}, Authenticated: Authenticated, Middlewares: nil, ID: 4045095531},
+		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 41678077631},
+		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 48613422631},
+		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4045095531},
 
 		//Login
 		{Version: api.Version{Major: 5, Minor: 0}, Method: http.MethodPost, Path: `user/login/?$`, Handler: login.LoginHandler(d.DB, d.Config), RequiredPrivLevel: auth.PrivLevelUnauthenticated, RequiredPermissions: nil, Authenticated: NoAuth, Middlewares: nil, ID: 439267082131},
@@ -629,9 +629,9 @@ func Routes(d ServerData) ([]Route, http.Handler, error) {
 
 		//Content invalidation jobs
 		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodGet, Path: `jobs/?$`, Handler: api.ReadHandler(&invalidationjobs.InvalidationJobV4{}), RequiredPrivLevel: auth.PrivLevelReadOnly, RequiredPermissions: []string{"JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 49667820413},
-		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:UPDATE", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4167807763},
-		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "DELIVERY-SERVICE:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4861342263},
-		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ", "DELIVERY-SERVICE:UPDATE"}, Authenticated: Authenticated, Middlewares: nil, ID: 404509553},
+		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodDelete, Path: `jobs/?$`, Handler: invalidationjobs.DeleteV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:DELETE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4167807763},
+		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPut, Path: `jobs/?$`, Handler: invalidationjobs.UpdateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:UPDATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 4861342263},
+		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `jobs/?`, Handler: invalidationjobs.CreateV40, RequiredPrivLevel: auth.PrivLevelPortal, RequiredPermissions: []string{"JOB:CREATE", "JOB:READ", "DELIVERY-SERVICE:READ"}, Authenticated: Authenticated, Middlewares: nil, ID: 404509553},
 
 		//Login
 		{Version: api.Version{Major: 4, Minor: 0}, Method: http.MethodPost, Path: `user/login/?$`, Handler: login.LoginHandler(d.DB, d.Config), RequiredPrivLevel: auth.PrivLevelUnauthenticated, RequiredPermissions: nil, Authenticated: NoAuth, Middlewares: nil, ID: 43926708213},