Open nqb opened 4 years ago
Can we just add the CONFIGURATION_MAIN_READ ?
@lzammit, that's not the right way to fix that issue from my point of view.
I've pushed a couple of related commits to user rights management, it should fix this but @nqb said CONFIGURATION_MAIN_READ isn't the "right" way to fix it so I'll leave this opened but this is technically fixed
In my previous comment, I would like to mention that adding CONFIGURATION_MAIN_READ
to User managers provide a wide access to configuration when I doesn't seem to be necessary (in application of PoLP)
Assigning @julsemaan and @nqb, changes required for front-end are not defined. More discussion is needed.
Describe the bug When you log as a User Manager and try to create user, you got warning about CONFIGURATION_MAIN_READ missing role.
To Reproduce Steps to reproduce the behavior:
Expected behavior User Manager admin access should work without warnings.
Additional context It seems that frontend is calling
/api/v1/config/base/guests_admin_registration
when loading the page in place of/api/v1/current_user/allowed_user_access_durations
. However,/api/v1/current_user/allowed_user_access_durations
is correctly called when you add a "Access duration" action.