Closed xgp closed 1 year ago
@xgp the user roles are on a per org basis right now, so it'd be a check on a per org role check?
@xgp the user roles are on a per org basis right now, so it'd be a check on a per org role check?
That's correct
Ok, considering that, I'm going to do a bit of work to pull the roles into the redux tree for the current user. That should help with access and checks on a more consistent basis that having to hit the API so repetitively.
@xgp one other thing I thought of here, if the user is not a member of an organization, should they not be able to see the org at all? so for instance, let's take this show orgs section: view-organization
, if you aren't a member of that org, you can't have any roles for that org, so should you even be able to see it?
for the other roles, it's going to be a combo check on a lot of things and to get that working, I am thinking I'll need to slightly tweak the app components to handle fetching the specific roles of that user for that specific organization.
if the user is not a member of an organization, should they not be able to see the org at all? so for instance, let's take this show orgs section: view-organization, if you aren't a member of that org, you can't have any roles for that org, so should you even be able to see it?
Correct
@xgp so small issue here. I updated the organization query to only grab the orgs that a user is now a member of. However, if they don't have the right role to view-roles
then any query to check their role, will fail with a response of {"error":"HTTP 401 Unauthorized"}
.
Which means, that if the user, is unable to actually check any roles at all to be able to perform the functions as listed above. Should the getByRealmUsersAndUserIdOrgsOrgIdRoles
API always return a positive or negative response as to that specific user's role in an organization, but not a 401? Essentially validating that you aren't checking another user's roles, just your own. That way the rest of the checks on the profile can be completed. This would allow for a specific check on your own roles, but no one else.
view-organization
@xgp not sure if you mean show the orgs nav item or the org itself on the orgs list page. Right now, I'm showing details as per the screenshot.
view-organization
, Since the "button" is the card, it will show like the card above. For the page, I assume this would need to be a redirect away.
[ ] allow edit org details: view-organization
, manage-organization
[ ] show org members: view-organization
, view-members
The API at the moment will return 0 members without the view-members
role. Did you want to do more here?
view-organization
is handled by either being able to click into the org for the org list page.
view-organization
, view-members
, manage-members
Only area to edit members is the drop-down context menu with the "edit roles" and "remove". The remove action is now disabled. Since you must have the view-members
role to have the API return members, this should be sufficient.
view-organization
, view-members
, view-roles
Won't show without the view-roles
roles. view-organization
& view-members
will already exclude the ability to see roles if not available.
view-organization
, view-members
, manage-members
, view-roles
, manage-roles
Disabled the "edit roles" link in the members lists and roles drop down. Disabled all buttons on edit roles page if they got there somehow.
view-organization
, view-invitations
, manage-invitations
Won't show. We might want to consider the role lacking view. As in show things, but disabled?
view-organization
, view-invitations
, manage-invitations
Will not allow sending invitations via UI.
view-organization
, manage-organization
Will show.
view-organization
, manage-organization
Doesn't show button to go to page, disables verify button
view-organization
, manage-organization
, view-identity-providers
, manage-identity-providers
Hides card, disables button in settings
not sure if you mean show the orgs nav item or the org itself on the orgs list page. Right now, I'm showing details as per the screenshot
Good as is.
Since the "button" is the card, it will show like the card above
Should show card that cannot be clicked.
The API at the moment will return 0 members without the view-members role. Did you want to do more here?
No. This is fine.
Won't show. We might want to consider the role lacking view. As in show things, but disabled?
General rule would be to show, but disable. I want users to understand that they lack a permission, so that they can ask an "administrator" for access/help.
Everything else looks good. Let me know if I missed anything in need of clarification.
Made all items to be shown but disabled
Based on configuration in feature flags
registrationEmailAsUsername
: if true don't show username on General profile pagepasswordUpdateAllowed
: if true allow password update button on Sign In profile pagetwoFactorUpdateAllowed
: if true allow 2fa create/update on Sign In profile pagepasswordlessUpdateAllowed
: if true allow Passwordless create/update on Sign In profile pagedeviceActivityEnabled
: if true show Device Activity profile pagelinkedAccountsEnabled
: if true show Linked Accounts profile pageeditUsernameAllowed
: if true username field is editabledeleteAccountAllowed
: if true, show delete account button on bottom of General profile pageorganizationsEnabled
: if true, show orgs sectionorgDetailsEnabled
: if true, show orgs detail button and pageorgMembersEnabled
: if true, show orgs members listorgInvitationsEnabled
: if true, show orgs invitations card and invitations modalsorgDomainsEnabled
: if true, show orgs domains card and domains modalsorgSsoEnabled
: if true, show orgs sso cardIgnore for now:
eventsEnabled
: ignore for nowinternationalizationEnabled
: ignore for nowresourcesEnabled
: ignore for nowviewGroupsEnabled
: ignore for nowupdateEmailFeatureEnabled
: ignore for nowupdateEmailActionEnabled
: ignore for noworgEventsEnabled
: ignore for nowBased on user roles per organization
view-organization
view-organization
,view-organization
,manage-organization
view-organization
,view-members
view-organization
,view-members
,manage-members
view-organization
,view-members
,view-roles
view-organization
,view-members
,manage-members
,view-roles
,manage-roles
view-organization
,view-invitations
,manage-invitations
view-organization
,view-invitations
,manage-invitations
view-organization
,manage-organization
view-organization
,manage-organization
view-organization
,manage-organization
,view-identity-providers
,manage-identity-providers