when fetching groups, capture error 403 as rbac failure and cache result #1528
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes: #1317
Description
As part of a normal flow,
/api/k8s/apis/user.openshift.io/v1/groups
is queried from the project details page. There was however a check in place where this call was skipped ifuseUser().isAdmin === true
. Instead of using this check, we ought to be checking rbac. If the user has permissions to get a resource, we should let them. By simply removing this check we now have to handle error403
. Or we could perform a self subject access review prior to making the call. I've opted to handle the403
request as it provides the same feed back as first performing a self subject access review check.useAccessReview
is a utility that can be used know if a user has permissions to perform an action. This utility would cache the result such that no further network calls are performed to get the same result. This means if a user is visiting a page and their permissions change in the process, they would require a refresh of the page / component to retrieve the new permissions. As such I have implemented a cache inuseGroups
when an error403
occurs to mimic the same functionality.No visible UI changes.
How Has This Been Tested?
/api/k8s/apis/user.openshift.io/v1/groups
endpoint.200
, subsequent calls will be made every timePOLL_INTERVAL
ticks (30s).403
, subsequent calls will not be made.Test Impact
A followup PR with unit tests will be contributed.
Request review criteria:
Self checklist (all need to be checked):
If you have UI changes:
After the PR is posted & before it merges:
main