You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by mi...@apache.org on 2019/07/30 14:31:08 UTC

[trafficcontrol] branch master updated: Restricted job creation to Portal and above (#3742)

This is an automated email from the ASF dual-hosted git repository.

mitchell852 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new 2e6a679  Restricted job creation to Portal and above (#3742)
2e6a679 is described below

commit 2e6a6797d55ca28310d0c5eb1be5ec592dcc595f
Author: ocket8888 <oc...@gmail.com>
AuthorDate: Tue Jul 30 08:30:57 2019 -0600

    Restricted job creation to Portal and above (#3742)
    
    * Restricted job creation to Portal and above
    
    * Fixed double check for proper Role
    
    * rolled back ineffectual change
    
    * updated version at which endpoint permissions changed
---
 docs/source/api/user_current_jobs.rst | 7 +++++--
 traffic_ops/app/lib/API/Job.pm        | 4 ++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/docs/source/api/user_current_jobs.rst b/docs/source/api/user_current_jobs.rst
index c754fbe..85f37e9 100644
--- a/docs/source/api/user_current_jobs.rst
+++ b/docs/source/api/user_current_jobs.rst
@@ -122,7 +122,11 @@ Creates a new content revalidation job.
 .. Note:: This method forces a HTTP *revalidation* of the content, and not a new ``GET`` - the origin needs to support revalidation according to the HTTP/1.1 specification, and send a ``200 OK`` or ``304 Not Modified`` HTTP response as appropriate.
 
 :Auth. Required: Yes
-:Roles Required: "admin" or "operations"\ [1]_
+:Roles Required: "portal"
+
+	.. versionchanged:: ATCv3.1.0
+		For security reasons, the endpoint was reworked so that regardless of tenancy, the "portal" :term:`Role` or higher is required.
+
 :Response Type:  ``undefined``
 
 Request Structure
@@ -186,4 +190,3 @@ Response Structure
 		}
 	]}
 
-.. [1] A role is only required if tenancy is not used; if tenancy is used by Traffic Control, then the user will be able to create the content revalidation job on :term:`Delivery Service`\ s scoped to his or her tenancy regardless of role. This means that **even read-only users can create content invalidation jobs for :term:`Delivery Service`\ s scoped to their tenancy**. This behavior is considered a bug, and it is tracked by `GitHub Issue #3116 <https://github.com/apache/trafficcontrol [...]
diff --git a/traffic_ops/app/lib/API/Job.pm b/traffic_ops/app/lib/API/Job.pm
index fbd7c4a..e307686 100644
--- a/traffic_ops/app/lib/API/Job.pm
+++ b/traffic_ops/app/lib/API/Job.pm
@@ -154,6 +154,10 @@ sub get_current_user_jobs {
 sub create_current_user_job {
 	my $self = shift;
 
+	if (!&is_portal($self)) {
+		return $self->forbidden();
+	}
+
 	my $ds_id      = $self->req->json->{dsId};
 	my $regex      = $self->req->json->{regex};
 	my $ttl        = $self->req->json->{ttl};