Check permissions

[AlexandrePTJ]

• On test process
• On the "login" process

Check for kimai's rights to ensure

• user is able to list project/customer/activity/timesheet (mandatory)
• user is able to add/edit (optional)

[muxelplexer]

While implementing the Team model i noticed a minor issues with the current kimaiAPI.h file: Due to it being included nearly everywhere any change inside it causes a complete rebuild which takes it's time.

Is it fine if new API models would be implemented inside an api/models/ folder structure?

Looking forward to sugesstions/opinions

[muxelplexer]

Also: We get all activities from the endpoint no matter if the user has permissions to book it or not, Do we hide it from the dropdown if the uses misses permissions or deactivate the button and display a info note/display it in a "Unavailable" tab in the dropdown?

Otherwise we'd need to require the user to have the view_team permission to use the team endpoint.

[AlexandrePTJ]

While implementing the Team model i noticed a minor issues with the current kimaiAPI.h file: Due to it being included nearly everywhere any change inside it causes a complete rebuild which takes it's time.

Is it fine if new API models would be implemented inside an api/models/ folder structure?

Looking forward to sugesstions/opinions

As Kimai API is pretty stable, this file is not changing often. Also this project is pretty small, so I am not sure it will have a real impact. However, test it and we will see :)

[AlexandrePTJ]

Also: We get all activities from the endpoint no matter if the user has permissions to book it or not, Do we hide it from the dropdown if the uses misses permissions or deactivate the button and display a info note/display it in a "Unavailable" tab in the dropdown?

Otherwise we'd need to require the user to have the view_team permission to use the team endpoint.

I think it would be more easy to just hide what user cannot book. It then allow to focus only what user can change.

[muxelplexer]

Either i'm going crazy or Kimai changed something upstream? I do not seem to receive any Activities, Projects or Customers for which i do not have booking permissions for, just like in the web ui. I suppose i'll be implementing the modify/add permission checks instead then?

[muxelplexer]

Also i can't find a convenient way to check for permissions apart from trying to launch invalid requests and checking for a 403. We can receive the roles a user is a member of but not the perms a roles has :/

[AlexandrePTJ]

Ok I didn't really dig into roles/permissions API. It looks to be a bit limited as you said. So let this features aside for the moment. I will ask to kimai dev if fetching permissions from API is planned.

[AlexandrePTJ]

https://github.com/kimai/kimai/issues/4061