fixed: Permission error occured when accessing the JobCommits #4434 (#4435)

4 years ago · 42fdea9466
parent 2c863f0dff
commit 42fdea9466
6 changed files with 6947 additions and 5614 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -19,7 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - TDB

 ### Fixed
- TDB
+- Permission error occured when accessing the JobCommits (<https://github.com/openvinotoolkit/cvat/issues/4434>)

 ### Security
 - TDB
--- a/cvat/apps/iam/permissions.py
+++ b/cvat/apps/iam/permissions.py
@ -790,6 +790,7 @@ class JobPermission(OpenPolicyAgentPermission):
            ('annotations', 'PUT'): 'update:annotations',
            ('data', 'GET'): 'view:data',
            ('issues', 'GET'): 'view',
+            ('commits', 'GET'): 'view:commits'
        }.get((view.action, request.method))

        scopes = []
--- a/cvat/apps/iam/rules/jobs.csv
+++ b/cvat/apps/iam/rules/jobs.csv
@ -33,6 +33,10 @@ view:data,Job,Sandbox,None,,GET,/jobs/{id}/data,Admin,N/A
 view:data,Job,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Assignee",,GET,/jobs/{id}/data,None,N/A
 view:data,Job,Organization,None,,GET,/jobs/{id}/data,User,Maintainer
 view:data,Job,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Assignee",,GET,/jobs/{id}/data,None,Worker
+view:commits,Job,Sandbox,None,,GET,/jobs/{id}/commits,Admin,N/A
+view:commits,Job,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Assignee",,GET,/jobs/{id}/commits,None,N/A
+view:commits,Job,Organization,None,,GET,/jobs/{id}/commits,User,Maintainer
+view:commits,Job,Organization,"Project:owner, Project:assignee, Task:owner, Task:assignee, Assignee",,GET,/jobs/{id}/commits,None,Worker
 import:annotations,Job,Sandbox,None,,PUT,/jobs/{id}/annotations?format=,Admin,N/A
 import:annotations,Job,Sandbox,"Project:owner, Project:assignee, Task:owner, Task:assignee, Assignee",,PUT,/jobs/{id}/annotations?format=,Worker,N/A
 import:annotations,Job,Organization,None,,PUT,/jobs/{id}/annotations?format=,User,Maintainer
--- a/cvat/apps/iam/rules/jobs.rego
+++ b/cvat/apps/iam/rules/jobs.rego
@ -139,20 +139,20 @@ filter = [] { # Django Q object to filter list of entries
 }

 allow {
-    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA }[input.scope]
+    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_COMMITS }[input.scope]
    utils.is_sandbox
    is_job_staff
 }

 allow {
-    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA }[input.scope]
+    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_COMMITS }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    utils.has_perm(utils.USER)
    organizations.has_perm(organizations.MAINTAINER)
 }

 allow {
-    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA }[input.scope]
+    { utils.VIEW, utils.VIEW_ANNOTATIONS, utils.VIEW_DATA, utils.VIEW_COMMITS }[input.scope]
    input.auth.organization.id == input.resource.organization.id
    organizations.has_perm(organizations.WORKER)
    is_job_staff
--- a/cvat/apps/iam/rules/jobs_test.gen.rego
+++ b/cvat/apps/iam/rules/jobs_test.gen.rego
--- a/cvat/apps/iam/rules/utils.rego
+++ b/cvat/apps/iam/rules/utils.rego
@ -40,6 +40,7 @@ VIEW_ANNOTATIONS := "view:annotations"
 UPDATE_ANNOTATIONS := "update:annotations"
 DELETE_ANNOTATIONS := "delete:annotations"
 VIEW_DATA := "view:data"
+VIEW_COMMITS := "view:commits"
 UPLOAD_DATA := "upload:data"
 IMPORT_ANNOTATIONS := "import:annotations"
 UPDATE_STATE := "update:state"