job statuses: fix filtering for namespace parameter #23456
Conversation
The job statuses endpoint does not filter jobs by the namespace query parameter unless the user passes a management token. The RPC handler creates a filter based on all the allowed namespaces but improperly conditions reducing this down to only the requested set on there being a management token. Note this does not give the user access to jobs they shouldn't have, only ignores the parameter. Remove the RPC handler's extra condition that prevents using the requested namespace. This is safe because we specifically check the ACL for that namespace earlier in the handler. Fixes: #23370
tgross
force-pushed
the
b-job-statuses-namespace-param
branch
from
c73490d to
2c53e73
Compare
There was a problem hiding this comment.
neat! Related: we've gotten a request to change the namespace dropdown (which only appears if you have any non-default namespaces, re: issue comment) from single-select radios to multi-select checkboxes, and was planning on using filter expressions to do so. Sounds like this makes that possible for non-mgmt, so thank you!
As it turns out, filter expressions already worked. It was only the namespace query parameter which was broken. Which was very confusing to me in the issue! 😁 |
|
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
The job statuses endpoint does not filter jobs by the namespace query parameter unless the user passes a management token. The RPC handler creates a filter based on all the allowed namespaces but improperly conditions reducing this down to only the requested set on there being a management token. Note this does not give the user access to jobs they shouldn't have, only ignores the parameter.
Remove the RPC handler's extra condition that prevents using the requested namespace. This is safe because we specifically check the ACL for that namespace earlier in the handler.
Fixes: #23370