Closed nvoskuilen closed 6 years ago
emonney
commented
6 years ago This is because you need assignRoles permission too to create new users. Latest commit https://github.com/emonney/QuickApp/commit/f916303a75f553e202be66a5265797fefd03029a addresses this by not showing the "New User" UI when the current user doesn't have the assignRoles permission
nvoskuilen
commented
6 years ago Thanks for your message.
After assigning the "Assign Role" permission to the (UserManager) the "Roles" dropdown shows up but is empty when create/edit a user using the (Manager). This also results in the "Roles cannot be empty" message. I noticed too that sometimes there actually is one role in the Role list, and it looks like its the second role in the role list which comes after the role where the (Manager) is assigned to, this can be reproduced by repeatedly clicking create user and closing the modal while checking the role list every cycle.
So one must also assign the "View Role" permission to the UserManager-Role, but then the Manager could elevate itself to Administrator level, and/or create new users with Administrator powers.
f916303 breakes the creation of any users right now:
Save Error The below errors occured whilst saving your changes: Access Denied! Forbidden Http failure response for http://localhost:55127/api/account/users: 403 Forbidden
I think it is the addition of the decorator in the AccountController "[Authorize(AuthPolicies.AssignRolesPolicy)]"
emonney
commented
6 years ago I noticed too that sometimes there actually is one role in the Role list
Please check if you can reproduce this behavior you described in the latest commit
Let me know your take on this and how it can further be improved.
1) Login as admin and create a new role (name: UserManager) with only the "User Permissions" checked 2) Create a new user (Manager) and asign it the new (UserManager) role 3) Login with the new (Manager) user and try to create a new user
On save it will show an error "Roles cannot be empty"