Closed twrichards closed 4 months ago
In https://github.com/guardian/grid/pull/4270 we logged both whether the user accessing has grid_access
permission and if not whether they have at least some other level of permission. There was only one user in the last two weeks who had the latter, so this PR actually simplifies to definitely require grid_access
permission (see https://github.com/guardian/permissions/pull/186 - noting that grid_access
permission is granted automatically based on some group membership)
CC @andrew-nowak given https://github.com/guardian/grid/pull/4270#pullrequestreview-2048062942
Seen on auth, usage, image-loader, metadata-editor, thrall, leases, cropper, collections, media-api, kahuna (merged by @twrichards 8 minutes and 33 seconds ago) Please check your changes!
https://github.com/guardian/grid/pull/4270 added logging for users without any permission whilst we can get everybody's permissions in good shape.
What does this change?
This makes use of the
hasAnyGridPermission
val we created in #4270 for the result of thevalidateUser
function. We alsooverride
theshowUnauthedMessage
function to return a more useful 403 response...NOTE: as with #4270 this should be no-op for other organisations using Grid (since they'll be plugging their own
AuthorisationProvider
or relying on the default implementation of the key functionhasBasicAccess
which returns true).How should a reviewer test this change?
Assuming https://github.com/guardian/permissions/pull/186 is deployed to CODE then deploy this branch to TEST main (or run locally) and experiment accessing grid with and without some form of grid permission (incl. new
grid_access
permission), observe the logs and you should see something like the image above.How can success be measured?
adhering better to our security principles guardian/recommendations@b4746d4/README.md#security-principles
Who should look at this?
@guardian/digital-cms @guardian/newsroom-resilience @RichardLe @AndyKilmory @Conalb97
Tested? Documented?