You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by mi...@apache.org on 2019/07/30 14:31:08 UTC
[trafficcontrol] branch master updated: Restricted job creation to
Portal and above (#3742)
This is an automated email from the ASF dual-hosted git repository.
mitchell852 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 2e6a679 Restricted job creation to Portal and above (#3742)
2e6a679 is described below
commit 2e6a6797d55ca28310d0c5eb1be5ec592dcc595f
Author: ocket8888 <oc...@gmail.com>
AuthorDate: Tue Jul 30 08:30:57 2019 -0600
Restricted job creation to Portal and above (#3742)
* Restricted job creation to Portal and above
* Fixed double check for proper Role
* rolled back ineffectual change
* updated version at which endpoint permissions changed
---
docs/source/api/user_current_jobs.rst | 7 +++++--
traffic_ops/app/lib/API/Job.pm | 4 ++++
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/docs/source/api/user_current_jobs.rst b/docs/source/api/user_current_jobs.rst
index c754fbe..85f37e9 100644
--- a/docs/source/api/user_current_jobs.rst
+++ b/docs/source/api/user_current_jobs.rst
@@ -122,7 +122,11 @@ Creates a new content revalidation job.
.. Note:: This method forces a HTTP *revalidation* of the content, and not a new ``GET`` - the origin needs to support revalidation according to the HTTP/1.1 specification, and send a ``200 OK`` or ``304 Not Modified`` HTTP response as appropriate.
:Auth. Required: Yes
-:Roles Required: "admin" or "operations"\ [1]_
+:Roles Required: "portal"
+
+ .. versionchanged:: ATCv3.1.0
+ For security reasons, the endpoint was reworked so that regardless of tenancy, the "portal" :term:`Role` or higher is required.
+
:Response Type: ``undefined``
Request Structure
@@ -186,4 +190,3 @@ Response Structure
}
]}
-.. [1] A role is only required if tenancy is not used; if tenancy is used by Traffic Control, then the user will be able to create the content revalidation job on :term:`Delivery Service`\ s scoped to his or her tenancy regardless of role. This means that **even read-only users can create content invalidation jobs for :term:`Delivery Service`\ s scoped to their tenancy**. This behavior is considered a bug, and it is tracked by `GitHub Issue #3116 <https://github.com/apache/trafficcontrol [...]
diff --git a/traffic_ops/app/lib/API/Job.pm b/traffic_ops/app/lib/API/Job.pm
index fbd7c4a..e307686 100644
--- a/traffic_ops/app/lib/API/Job.pm
+++ b/traffic_ops/app/lib/API/Job.pm
@@ -154,6 +154,10 @@ sub get_current_user_jobs {
sub create_current_user_job {
my $self = shift;
+ if (!&is_portal($self)) {
+ return $self->forbidden();
+ }
+
my $ds_id = $self->req->json->{dsId};
my $regex = $self->req->json->{regex};
my $ttl = $self->req->json->{ttl};