Open MGLL opened 6 months ago
@MGLL Thanks for the report. I'm not entirely sure this is an issue though. The only way to access the settings page (button present) is if you have the manage-organization
role.
The visibility options can be configured as needed to control the view of the UI. The ability to interact with the API (UI or no) is based on the roles assigned to a user. If they don't have the right role, no settings button for the organization is viewable. As you noted, the permission controls this and you are correct in setting it appropriately for users.
I think it could be an issue in the case, for example, we want to let an admin in the organization manage the organization but as the admin of the SaaS Platform, we want to restrict / hide something.
With this example, if we disable the SSO & Domains globally and assign the manage-organization
to a user, this user can still access the disabled elements through settings.
Also, I noticed that an user which can view roles and invite other users, can select any role (so an user can invite another user with manage-organization
even if is roles are "lower" (just invite someone else)).
For the first point, I think that's something I could contribute on (however, not sure when) if you have other topics currently 👍
Hello, just to notify that I noticed something.
When I disable Domains & SSO in AdminUI of Keycloak (Styles), it disappears from the "organization homepage", but it's still available in settings.
Admin UI:![AdminUI_Style](https://github.com/p2-inc/phasetwo-admin-portal/assets/16251642/c77d653d-03e5-4a35-83b1-ced525383f83)
Organization Homepage:![OrgPage](https://github.com/p2-inc/phasetwo-admin-portal/assets/16251642/4ad6fe75-ac93-4502-932d-53defd18aeca)
Organization Settings:![Settings](https://github.com/p2-inc/phasetwo-admin-portal/assets/16251642/70695b79-c31c-43dc-8674-f9f5a4468d91)
If you want, I could take a look when I have time.
Also, I noticed that "Name" is supposed to be read-only (in UI), but I'm able to change it through API. I will take this into account for my current work on "Read Only Organization Metadata" to set "Name" as read-only by default (for organization user and not platform admin).