ivanslabbert
commented
1 month ago The issue occurred due to the following: (Using groups names A, B and C as reference.)
- Group A needs assign access to group B in order to assign it to group C (assuming group A as edit access to group C)
- In this specific issue, group A (super admins) had permissions to itself in order to give inheritable full access to super admin users.
- When the (self) assign permission to group A was removed from group A, group A had no more permissions to assign itself to other groups, and thereby removing effective inherited super-admin access.
Suggested solution:
- Allow users to self-assign any access to a group (i.e. give group A access to itself for any document type) if the user has edit access to the group.
- Add validity checking to warn a user if he/she will remove his/her own effective (direct or inherited) access from a group. (#256)
Note on self-assigned permissions: This type of ACL's is generally only used where user members of a group need direct access to document members. This was added specifically to allow a Super Admin user to have access to all documents in a system.
recreating the bug: Remove group "assign" permissions from the Super Admins entry in the Super Admins group and save the change. Re-adding "assign" gets rejected by the API. Is this the expected behavoir?
Issue seems to be that ACL's on groups for group permissions are only applied to child groups and not to the group itself.