Closed RobRuana closed 6 years ago
Merging ASAP, because we're leaking sensitive info.
c.ADMIN
is a new access level that was added with the token based API auth. c.ADMIN
is basically root.
I didn't want API access to spread uncontrollably. So only people with c.ADMIN
can grant API access. Even people with API access can't grant API access to other people.
It's not set up this way everywhere, but people with c.ADMIN
access should be able to do anything on the system. The permissions model needs to be overhauled, but I really wanted to lock down API access and this seemed like the shortest path to get there.
There's a new config setting required_access
that determines what access is needed to grant/revoke permissions for other users. See the relevant config section here.
That being said, I'm happy to remove the reference to c.ADMIN
in question! If it makes the code harder to read – or even if it makes the business logic harder to understand – we should get rid of it!
Oh, okay! I think it's fine as-is, I just had all the old access levels memorized and couldn't remember this new one! :)
This does not cut off access to the whole page, because dept heads need access for the dept checklist. It does hide the columns with sensitive info (roommate requests/anti-requests & special needs).