search

Cadasta / cadasta-platform

[DEPRECATED] Main repository of the Cadasta platform. Technology to help communities document their land rights around the world.
https://demo.cadasta.org
GNU Affero General Public License v3.0
54 stars 81 forks source link

Deactivated user handling #1518

Open amplifi opened 7 years ago

amplifi commented 7 years ago

Steps to reproduce the error

Deactivated users can be added to organizations and projects.

Expected behavior

Deactivated users should require re-activation prior to being added to organizations and projects. This currently exacerbates a performance issue in demo, and is poor security practice.

Secondary (for discussion): Deactivating a user should strip that account of its current permissions across all orgs/projects.

dpalomino commented 7 years ago

Thanks @amplifi

Secondary (for discussion): Deactivating a user should strip that account of its current permissions across all orgs/projects.

But it is not possible to access to those orgs/projects using this account while it is deactivated, right? If we strip permission across orgs/projects, wouldn't we need to resume them when the account is reactivated?

Not sure what it's best solution though...

amplifi commented 7 years ago

@dpalomino Yes, if we strip user permissions when an account is deactivated, the account would then need to be re-added to its org/projects. Ironically, under tutelary this could be automated because it retains a full permissions history for each user, so the 'Re-activate' button could easily reapply the user's last known permission set. A similar audit history could (and should) be maintained under our replacement permissions implementation, which would allow us to restore permissions.