RobRuana
commented
6 years ago Merging ASAP, because we're leaking sensitive info.
Closed RobRuana closed 6 years ago
RobRuana
commented
6 years ago Merging ASAP, because we're leaking sensitive info.
RobRuana
commented
6 years ago c.ADMIN is a new access level that was added with the token based API auth. c.ADMIN is basically root.
I didn't want API access to spread uncontrollably. So only people with c.ADMIN can grant API access. Even people with API access can't grant API access to other people.
It's not set up this way everywhere, but people with c.ADMIN access should be able to do anything on the system. The permissions model needs to be overhauled, but I really wanted to lock down API access and this seemed like the shortest path to get there.
There's a new config setting required_access that determines what access is needed to grant/revoke permissions for other users. See the relevant config section here.
That being said, I'm happy to remove the reference to c.ADMIN in question! If it makes the code harder to read – or even if it makes the business logic harder to understand – we should get rid of it!
kitsuta
commented
6 years ago Oh, okay! I think it's fine as-is, I just had all the old access levels memorized and couldn't remember this new one! :)
This does not cut off access to the whole page, because dept heads need access for the dept checklist. It does hide the columns with sensitive info (roommate requests/anti-requests & special needs).