search

cessda / cessda.cvs.two

Apache License 2.0
0 stars 2 forks source link

Create a new superuser role #472

Closed cessda-bitbucket-importer closed 1 year ago

cessda-bitbucket-importer commented 1 year ago

Original report on BitBucket by Maja Dolinar.

In order to distinguish between the roles ADMIN_CONTENT and ROLE_ADMIN, we need to create a new superuser role. ADMIN_CONTENT should have content rights and user management rights in the system, whereas ROLE_ADMIN should have all rights. Need to create a new table for this.

MajaDolinar commented 1 year ago

See table: https://docs.google.com/spreadsheets/d/1wLKK0B5SrSsGsOO7PtZW3E7QPBuJUmwzRHV_WtljNSY/edit#gid=0

currently the role ADMIN_CONTENT does not have user management rights in the system (I as a user in CVS need to have now 2 roles assigned: ROLE_ADMIN_CONTENT and ROLE_ADMIN to be able to manage users). In the future I should have only the ROLE_ADMIN_CONTENT

ROLE_ADMIN should have all rights.

See previously closed issue for this https://github.com/cessda/cessda.cvs.two/issues/395: ROLE_ADMIN_CONTENT and ROLE_ADMIN were clashing, because they had the same rights in the system. For release 3.0.0 we will not include User management roles for ROLE_ADMIN_CONTENT, and have ROLE_ADMIN assigned to user that need user management.

pakoselo commented 1 year ago

So I am little bit confused. The plan is to have only one role admin?

Martin

On Wed, Mar 22, 2023, 14:13 MajaDolinar @.***> wrote:

See table: https://docs.google.com/spreadsheets/d/1wLKK0B5SrSsGsOO7PtZW3E7QPBuJUmwzRHV_WtljNSY/edit#gid=0

currently the role ADMIN_CONTENT does not have user management rights in the system (I as a user in CVS need to have now 2 roles assigned: ROLE_ADMIN_CONTENT and ROLE_ADMIN to be able to manage users). In the future I should have only the ROLE_ADMIN_CONTENT

ROLE_ADMIN should have all rights.

See previously closed issue for this #395 https://github.com/cessda/cessda.cvs.two/issues/395: ROLE_ADMIN_CONTENT and ROLE_ADMIN were clashing, because they had the same rights in the system. For release 3.0.0 we will not include User management roles for ROLE_ADMIN_CONTENT, and have ROLE_ADMIN assigned to user that need user management.

— Reply to this email directly, view it on GitHub https://github.com/cessda/cessda.cvs.two/issues/472#issuecomment-1479547536, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB23PTS25I6YNS2IY3UP3PTW5L3G5ANCNFSM6AAAAAAWDZLLAU . You are receiving this because you are subscribed to this thread.Message ID: @.***>

MajaDolinar commented 1 year ago

I am not sure what other rights there are in the system that are connected to maintenance, if any. Maybe @john-shepherdson or @Joshua-cessda-admin can help in this? I think that only the rights of accessing some technical part of the service would separate ROLE_ADMIN_CONTENT and ROLE_ADMIN probably.

pakoselo commented 1 year ago

That make sense to me. If this is the correct approach I can implement it like that.

On Wed, Mar 22, 2023, 20:31 MajaDolinar @.***> wrote:

I am not sure what other rights there are in the system that are connected to maintenance, if any. Maybe @john-shepherdson https://github.com/john-shepherdson or @Joshua-cessda-admin https://github.com/Joshua-cessda-admin can help in this? I think that only the rights of accessing some technical part of the service would separate ROLE_ADMIN_CONTENT and ROLE_ADMIN probably.

— Reply to this email directly, view it on GitHub https://github.com/cessda/cessda.cvs.two/issues/472#issuecomment-1480143213, or unsubscribe https://github.com/notifications/unsubscribe-auth/AB23PTVUQC2WUARZNYMZXB3W5NHSPANCNFSM6AAAAAAWDZLLAU . You are receiving this because you commented.Message ID: <cessda/cessda. @.***>

john-shepherdson commented 1 year ago

Nothing to add

pakoselo commented 1 year ago

@MajaDolinar the roles should be solved. I also solve the problems with TECHNICAL_ADMIN (nobody noticed, that it probably doesn't work). @Joshocan @john-shepherdson I need also to modify the application.yml, where the health section can be accessed only by ADMIN, not TECHNICAL_ADMIN. I don't know, if there are other configurations on the production, but to be sure, the roles are right also on the production. @MajaDolinar I have merged the code with the master, so in few minutes/hours it should be on dev and/or staging and you shpould be able to test it. If not, @Joshocan please check the deployment as it breaks sometimes. Thanks

MajaDolinar commented 1 year ago

needs testing

MajaDolinar commented 1 year ago

ROLE_ADMIN_CONTENT is working for user management as well. The issue is resolved.