Enable social auth users to see other users.

CHANGES/2781.bugfix

@@ -0,0 +1 @@
+Allow all authenticated users to list and retrieve other users.

galaxy_ng/app/access_control/statements/standalone.py

@@ -198,13 +198,13 @@
             "action": ["list"],
             "principal": "authenticated",
             "effect": "allow",
-            "condition": "has_model_perms:galaxy.view_user"
+            # "condition": "has_model_perms:galaxy.view_user"
         },
         {
             "action": ["retrieve"],
             "principal": "authenticated",
             "effect": "allow",
-            "condition": "has_model_perms:galaxy.view_user"
+            # "condition": "has_model_perms:galaxy.view_user"
         },
         {
             "action": "destroy",

galaxy_ng/tests/integration/api/test_rbac_roles.py

@@ -613,6 +613,7 @@
     view_tasks,
     view_role,
     view_pulp_groups,
+    view_users,
 }
 
 DENIED_FOR_ALL_USERS = {

galaxy_ng/tests/integration/community/test_community_namespace_rbac.py

@@ -570,3 +570,28 @@ def test_community_social_v3_namespace_sorting(ansible_config):
     # https://issues.redhat.com/browse/AAH-2729
     # social auth code was trying to sort namespaces ...
     pass
+
+
+@pytest.mark.deployment_community
+def test_social_auth_access_api_ui_v1_users(ansible_config):
+    # https://issues.redhat.com/browse/AAH-2781
+
+    username = "foo1234"
+    default_cfg = extract_default_config(ansible_config)
+
+    ga = GithubAdminClient()
+    ga.delete_user(login=username)
+
+    user_c = ga.create_user(login=username, email="[email protected]")
+    user_c.update(default_cfg)
+    user_c['username'] = username
+
+    with SocialGithubClient(config=user_c) as client:
+        users_resp = client.get('_ui/v1/users/')
+        assert users_resp.status_code == 200
+
+        # try to fetch each user ..
+        for udata in users_resp.json()['data']:
+            uid = udata['id']
+            user_resp = client.get(f'_ui/v1/users/{uid}/')
+            assert user_resp.status_code == 200

galaxy_ng/tests/unit/api/test_api_ui_user_viewsets.py

@@ -130,39 +130,41 @@ def test_user_can_create_users_with_right_perms(self):
         self.assertEqual(response.status_code, status.HTTP_201_CREATED)
 
     def test_user_list(self):
-        def _test_user_list():
+        def _test_user_list(expected=None):
+            # Check test user can[not] view other users
             self.client.force_authenticate(user=self.user)
             log.debug("self.client: %s", self.client)
             log.debug("self.client.__dict__: %s", self.client.__dict__)
             response = self.client.get(self.user_url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
+            # Check admin user can -always- view others
             self.client.force_authenticate(user=self.admin_user)
             response = self.client.get(self.user_url)
             self.assertEqual(response.status_code, status.HTTP_200_OK)
             data = response.data["data"]
             self.assertEqual(len(data), auth_models.User.objects.all().count())
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
-            _test_user_list()
+            _test_user_list(expected=status.HTTP_200_OK)
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
-            _test_user_list()
+            _test_user_list(expected=status.HTTP_403_FORBIDDEN)
 
     def test_user_get(self):
-        def _test_user_get():
-            # Check test user cannot view themselves on the users/ api
+        def _test_user_get(expected=None):
+            # Check test user can[not] view themselves on the users/ api
             self.client.force_authenticate(user=self.user)
             url = "{}{}/".format(self.user_url, self.user.id)
             response = self.client.get(url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
-            # Check test user cannot view other users
+            # Check test user can[not] view other users
             url = "{}{}/".format(self.user_url, self.admin_user.id)
             response = self.client.get(url)
-            self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+            self.assertEqual(response.status_code, expected)
 
-            # Check admin user can view others
+            # Check admin user can -always- view others
             self.client.force_authenticate(user=self.admin_user)
             url = "{}{}/".format(self.user_url, self.user.id)
             response = self.client.get(url)
@@ -175,10 +177,10 @@ def _test_user_get():
                 self.assertTrue(self.user.groups.exists(id=group["id"]))
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.STANDALONE.value):
-            _test_user_get()
+            _test_user_get(expected=status.HTTP_200_OK)
 
         with self.settings(GALAXY_DEPLOYMENT_MODE=DeploymentMode.INSIGHTS.value):
-            _test_user_get()
+            _test_user_get(expected=status.HTTP_403_FORBIDDEN)
 
     def _test_create_or_update(self, method_call, url, new_user_data, crud_status, auth_user):
         self.client.force_authenticate(user=auth_user)