Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce add_resourcebase permission control everywhere #7728

Closed
giohappy opened this issue Jul 2, 2021 · 5 comments
Closed

Enforce add_resourcebase permission control everywhere #7728

giohappy opened this issue Jul 2, 2021 · 5 comments
Assignees
@marthamareal
Labels
enhancement
Milestone
3.3.0

Comments

@giohappy
Copy link
Contributor

giohappy commented Jul 2, 2021
edited
Loading

The add_resourcebase permission check and Contributors group concepts that have been introduced recently are currently used only by the API v2 ( to inform the client about global user permissions) and the upcoming controls for Remote Services.

There's a two-fold rationale behind this addition:

  • It indirectly controls the ability to make a change to the DB when the READ ONLY mode is active. In that case the control on the user permission won't return the add_resourcesbase permission. Instead of putting an explicit check on the READ_ONLY mode as is is know (see for example here) we want to check the grant through the add_resourcebase permission
  • It paves the road to implement read-only registered users. This is the reason of having created the Contributors group. In this moment every registered user is assigned to the group (which has the add_resourcebase permission), but we are able now to stop this automation and have registered users that are simply readers and not contributors.

To be ready for this we want to extend the adoption of the add_resourcebase check inside the templates and views where the ability to create a new resource is checked. For the moment I think the only places where the check is explicitely done is where we control the READ_ONLY configuration, so the change should be straightforward.
@giohappy giohappy added this to the 3.3 milestone Jul 2, 2021
@giohappy giohappy changed the title Enforce the add_resourcebase permission control everywhere Enforce add_resourcebase permission control everywhere Jul 2, 2021
@marthamareal
Copy link
Contributor

marthamareal commented Jul 5, 2021
edited
Loading

@giohappy DO you mean permission base_addresourcebase? it's the permission that is being assigned to the contributor group here

@giohappy
Copy link
Contributor Author

giohappy commented Jul 5, 2021

That permission is going to be reverted. The one coming for free from Django auth will be used: add_resourcebase.
This issue depends on the changes done inside this pending PR #7719.

That PR reverts the permission and adopts add_resourcebase for contributors

@giohappy
Copy link
Contributor Author

giohappy commented Jul 6, 2021

The depedency has been merged so you can proceed with this @marthamareal

@marthamareal
Copy link
Contributor

@giohappy In a scenario where a user is an owner of some resources in the system then removed from the contributor's group, should they still be able to update/delete those resources?

@giohappy
Copy link
Contributor Author

giohappy commented Jul 7, 2021

Owner should alswais have priority over permissions.

@marthamareal marthamareal mentioned this issue Jul 7, 2021
Merged
12 tasks
@afabiani afabiani closed this as completed Jul 8, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@marthamareal marthamareal

Labels
enhancement
Projects
None yet
Milestone
3.3.0
Development

No branches or pull requests
3 participants
@giohappy @afabiani @marthamareal