[Engine-devel] Consideration of the permission type

[Piotr Kliczewski]

Hello everyone,

I am working on https://bugzilla.redhat.com/show_bug.cgi?id=878812 bug
so I played a bit with the code to understand how permission system
works and noticed few things (please correct me if I am wrong):
- In order to login to admin portal user need to have one of the admin
roles (role_type = 1)
- system tree is built using number of queries
- before running each query permission validation happens so the code
checks whether the user is able to run a query
- I noticed that none of the queries required to build system tree is
admin query and validation depends on result of getUser().isAdmin()
(Please check http://gerrit.ovirt.org/gitweb?p=ovirt-engine.git;a=blob;f=backend/manager/modules/bll/src/main/java/org/ovirt/engine/core/bll/QueriesCommandBase.java;h=42b4985830033579802c278a6bae932cf0ffa3c7;hb=refs/heads/master
line 123). This statement is always true for a user which was able to
log in to admin portal.

I was able to come up with following ways to solve this issue (please
help to find the good enough):
- fix verification
- filter results of query
- change a bit permission model. The structure is quite flat (there
are only 2 role_types) or we could go with containers as it was
proposed in bug description.

Thanks,
Piotr