Skip to content

ROX-33402: Change permission from modify to view for view based reports#19807

Draft
ksurabhi91 wants to merge 1 commit intomasterfrom
view_perm
Draft

ROX-33402: Change permission from modify to view for view based reports#19807
ksurabhi91 wants to merge 1 commit intomasterfrom
view_perm

Conversation

@ksurabhi91
Copy link
Copy Markdown
Contributor

@ksurabhi91 ksurabhi91 commented Apr 3, 2026
edited
Loading

Currently starting a view based report job and downloading a view based report requires Modify WorkflowAdministration permission. However report should be downloadable for users that can view CVEs on the Results page which requires View Image permission only. This PR lowers the permission set for view based reports to match the API that returns CVE Results.

User-facing documentation

Testing and quality

  • the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
  • CI results are inspected

Automated testing

  • added unit tests
  • added e2e tests
  • added regression tests
  • added compatibility tests
  • modified existing tests

How I validated my change

change me!

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Apr 3, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 3, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.60%. Comparing base (b61d01e) to head (6fe084f).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #19807   +/-   ##
=======================================
  Coverage   49.60%   49.60%           
=======================================
  Files        2763     2763           
  Lines      208271   208271           
=======================================
  Hits       103312   103312           
  Misses      97292    97292           
  Partials     7667     7667
Flag Coverage Δ
go-unit-tests 49.60% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

🚀 Build Images Ready

Images are ready for commit 6fe084f. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-558-g6fe084f927

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Apr 3, 2026

📝 Walkthrough

Summary by CodeRabbit

  • Changes
    • Updated permission requirements for report download and view-based report operations. Users now need View-level access for Workflow Administration instead of Modify-level access.

Walkthrough

Permission requirements for report-related endpoints are downgraded from Modify to View for WorkflowAdministration across two authorization points in the API routing and service layer, while maintaining View permission for Image resources.

Changes

Cohort / File(s) Summary
Report Authorization Changes
central/main.go, central/reports/service/v2/service_impl.go		 Downgrade permission requirement from Modify(resources.WorkflowAdministration) to View(resources.WorkflowAdministration) for the /api/reports/jobs/download endpoint and ReportService_PostViewBasedReport RPC method, while retaining View(resources.Image) permission.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ❓ Inconclusive The description is incomplete. While it explains the rationale and objective clearly, the 'How I validated my change' section contains only placeholder text ('change me!'), and no testing or documentation status boxes are checked. Complete the 'How I validated my change' section with actual validation details, check appropriate testing/documentation checkboxes, and explain why any unchecked items are not applicable.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: lowering the permission requirement from Modify to View for view-based reports, which directly matches the changeset modifications in both files.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch view_perm

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Apr 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
central/reports/service/v2/service_impl.go (1)

56-63: ⚠️ Potential issue | 🔴 Critical

The effective permission here is still Modify.

This table now places apiV2.ReportService_PostViewBasedReport_FullMethodName under a view-level authorizer, but PostViewBasedReport still calls workflowSAC.WriteAllowed(ctx) on Line 476. Users who only gain the new view-level permission will still be rejected, so the RPC's actual authorization does not match this change.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@central/reports/service/v2/service_impl.go` around lines 56 - 63, The RPC
mapping puts apiV2.ReportService_PostViewBasedReport_FullMethodName under a
view-level authorizer but the handler PostViewBasedReport still enforces
workflowSAC.WriteAllowed(ctx), so users with only view permissions are rejected;
fix by making the authorization in PostViewBasedReport match the view-level
permission (replace workflowSAC.WriteAllowed(ctx) with the appropriate view/read
check such as workflowSAC.ReadAllowed(ctx) or workflowSAC.ViewAllowed(ctx) and
adjust the error message/logging accordingly), or alternatively move
apiV2.ReportService_PostViewBasedReport_FullMethodName back under the
modify-level permissions to keep WriteAllowed — choose the option that preserves
intended semantics and update any relevant tests.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@central/main.go`:
- Around line 959-963: The download route for "/api/reports/jobs/download"
currently requires permissions.View(resources.WorkflowAdministration) alongside
permissions.View(resources.Image), which blocks users with the target viewer
role; update the authorization on that customRoutes entry (where
NewDownloadHandler() is set) to include the target viewer permission by
replacing or adding permissions.View(resources.TargetViewer) in the
user.With(...) call so users with the target viewer role (and/or workflow admin
as appropriate) can access the download endpoint.

---

Outside diff comments:
In `@central/reports/service/v2/service_impl.go`:
- Around line 56-63: The RPC mapping puts
apiV2.ReportService_PostViewBasedReport_FullMethodName under a view-level
authorizer but the handler PostViewBasedReport still enforces
workflowSAC.WriteAllowed(ctx), so users with only view permissions are rejected;
fix by making the authorization in PostViewBasedReport match the view-level
permission (replace workflowSAC.WriteAllowed(ctx) with the appropriate view/read
check such as workflowSAC.ReadAllowed(ctx) or workflowSAC.ViewAllowed(ctx) and
adjust the error message/logging accordingly), or alternatively move
apiV2.ReportService_PostViewBasedReport_FullMethodName back under the
modify-level permissions to keep WriteAllowed — choose the option that preserves
intended semantics and update any relevant tests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 89120d04-0ebf-457c-b470-2d8d95f8bc6d

📥 Commits

Reviewing files that changed from the base of the PR and between b61d01e and 6fe084f.

📒 Files selected for processing (2)
  • central/main.go
  • central/reports/service/v2/service_impl.go

central/main.go
Comment on lines 959 to 963
customRoutes = append(customRoutes, routes.CustomRoute{
Route: "/api/reports/jobs/download",
Authorizer: user.With(permissions.Modify(resources.WorkflowAdministration), permissions.View(resources.Image)),
Authorizer: user.With(permissions.View(resources.WorkflowAdministration), permissions.View(resources.Image)),
ServerHandler: v2Service.NewDownloadHandler(),
Compression: true,
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

This download route still excludes the target viewer role.

Line 961 still requires permissions.View(resources.WorkflowAdministration) in addition to permissions.View(resources.Image). Users who can view CVE results but lack workflow-administration access will still 403 on /api/reports/jobs/download, so the download side of the permission change is not complete.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@central/main.go` around lines 959 - 963, The download route for
"/api/reports/jobs/download" currently requires
permissions.View(resources.WorkflowAdministration) alongside
permissions.View(resources.Image), which blocks users with the target viewer
role; update the authorization on that customRoutes entry (where
NewDownloadHandler() is set) to include the target viewer permission by
replacing or adding permissions.View(resources.TargetViewer) in the
user.With(...) call so users with the target viewer role (and/or workflow admin
as appropriate) can access the download endpoint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

area/central coderabbit-review do-not-merge/work-in-progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ksurabhi91