From c8c8ee52bdf76926d7fa2c3fcf554bc749fd451c Mon Sep 17 00:00:00 2001 From: Joe Rafaniello Date: Tue, 22 Jul 2025 16:12:44 -0400 Subject: [PATCH] WIP - bypass feature validation for dynamic tenant features --- app/controllers/ops_controller/ops_rbac.rb | 2 ++ app/helpers/application_helper.rb | 16 +++++++++++----- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/app/controllers/ops_controller/ops_rbac.rb b/app/controllers/ops_controller/ops_rbac.rb index 21137282e5b..fb1a370aaff 100644 --- a/app/controllers/ops_controller/ops_rbac.rb +++ b/app/controllers/ops_controller/ops_rbac.rb @@ -17,6 +17,8 @@ def role_allows?(**options) end options[:feature] = MiqProductFeature.tenant_identifier(options[:feature], id) + # dynamic tenant feature identifiers need to bypass feature validation + options[:skip_feature_validation] = true end super(**options) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index f2961b5c1cd..71fbf779994 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -104,6 +104,16 @@ def role_allows?(**options) return false end + # ops_rbac role_allows's dynamic tenant features are supported in rbac but not + # with direct lookup in validate_features so we skip it. + validate_features(features) unless !!options.delete(:skip_feature_validation) + + Rbac.role_allows?(:user => User.current_user, **options) rescue false + end + module_function :role_allows? + public :role_allows? + + def validate_features(features) # Detect if queried features are missing from the database and possibly invalid if !Rails.env.production? && features.detect { |feature| !MiqProductFeature.feature_exists?(feature) } message = "#{__method__} no feature was found with identifier: #{features.inspect}. Correct the identifier or add it to miq_product_features.yml." @@ -114,12 +124,8 @@ def role_allows?(**options) raise("#{message} Note: detected features: #{identifiers.inspect}") end end - - Rbac.role_allows?(:user => User.current_user, **options) rescue false end - - module_function :role_allows? - public :role_allows? + module_function :validate_features # NB: This differs from controller_for_model; until they're unified, # make sure you have the right one.