RBAC for action-alias help changelog entry.

StackStorm · Sep 15, 2023 · 781a03d · 781a03d
1 parent 1a3fab0
commit 781a03d
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 19 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -13,6 +13,9 @@ Fixed
 * Bumped `paramiko` to `2.10.5` to fix an issue with SSH Certs - https://github.com/paramiko/paramiko/issues/2017
   Contributed by @jk464
 
+* Added RBAC support to action-alias help end point. #6022
+  Contributed by @nzlosh
+
 Added
 ~~~~~
 * Move `git clone` to `user_home/.st2packs` #5845

diff --git a/st2api/st2api/controllers/v1/actionalias.py b/st2api/st2api/controllers/v1/actionalias.py
@@ -20,7 +20,6 @@
 from st2common import log as logging
 from st2common.exceptions.actionalias import ActionAliasAmbiguityException
 from st2common.exceptions.apivalidation import ValueValidationException
-from st2common.exceptions.rbac import ResourceTypeAccessDeniedError
 from st2common.models.api.action import ActionAliasAPI
 from st2common.persistence.actionalias import ActionAlias
 from st2common.rbac.types import PermissionType
@@ -75,13 +74,22 @@ def get_one(self, ref_or_id, requester_user):
             ref_or_id, requester_user=requester_user, permission_type=permission_type
         )
 
-    def match(self, action_alias_match_api):
+    def match(self, action_alias_match_api, requester_user=None):
         """
         Find a matching action alias.
 
         Handles requests:
             POST /actionalias/match
         """
+
+        permission_type = PermissionType.ACTION_ALIAS_MATCH
+        rbac_utils = get_rbac_backend().get_utils_class()
+
+        rbac_utils.assert_user_has_permission(
+            user_db=requester_user,
+            permission_type=permission_type,
+        )
+
         command = action_alias_match_api.command
 
         try:
@@ -111,32 +119,23 @@ def help(self, filter, pack, limit, offset, **kwargs):
 
         permission_type = PermissionType.ACTION_ALIAS_HELP
         rbac_utils = get_rbac_backend().get_utils_class()
-
+        rbac_utils.assert_user_has_permission(
+            user_db=requester_user,
+            permission_type=permission_type,
+        )
         try:
             aliases_resp = super(ActionAliasController, self)._get_all(**kwargs)
-            aliases = []
-            for alias in aliases_resp.json:
-                try:
-                    rbac_utils.assert_user_has_permission(
-                        user_db=requester_user,
-                        permission_type=permission_type,
-                    )
-                    aliases.append(ActionAliasAPI(**alias))
-                except ResourceTypeAccessDeniedError as exception:
-                    # Permission denied, don't include in output.
-                    pass
-                except Exception as exception:
-                    LOG.exception(f"Error processing action-alias.")
+            aliases = [ActionAliasAPI(**alias) for alias in aliases_resp.json]
 
             return generate_helpstring_result(
                 aliases, filter, pack, int(limit), int(offset)
             )
-        except (TypeError) as e:
+        except TypeError as exception_type:
             LOG.exception(
                 "Helpstring request contains an invalid data type: %s.",
-                six.text_type(e),
+                six.text_type(exception_type),
             )
-            return abort(http_client.BAD_REQUEST, six.text_type(e))
+            return abort(http_client.BAD_REQUEST, six.text_type(exception_type))
 
     def post(self, action_alias, requester_user):
         """