p2-inc / phasetwo-admin-portal

https://phasetwo.io
Other
20 stars 14 forks source link

Permissions to show sections of ui #35

Closed xgp closed 1 year ago

xgp commented 1 year ago

Based on configuration in feature flags

Ignore for now:

Based on user roles per organization

pnzrr commented 1 year ago

@xgp the user roles are on a per org basis right now, so it'd be a check on a per org role check?

xgp commented 1 year ago

@xgp the user roles are on a per org basis right now, so it'd be a check on a per org role check?

That's correct

pnzrr commented 1 year ago

Ok, considering that, I'm going to do a bit of work to pull the roles into the redux tree for the current user. That should help with access and checks on a more consistent basis that having to hit the API so repetitively.

pnzrr commented 1 year ago

@xgp one other thing I thought of here, if the user is not a member of an organization, should they not be able to see the org at all? so for instance, let's take this show orgs section: view-organization, if you aren't a member of that org, you can't have any roles for that org, so should you even be able to see it?

for the other roles, it's going to be a combo check on a lot of things and to get that working, I am thinking I'll need to slightly tweak the app components to handle fetching the specific roles of that user for that specific organization.

xgp commented 1 year ago

if the user is not a member of an organization, should they not be able to see the org at all? so for instance, let's take this show orgs section: view-organization, if you aren't a member of that org, you can't have any roles for that org, so should you even be able to see it?

Correct

pnzrr commented 1 year ago

@xgp so small issue here. I updated the organization query to only grab the orgs that a user is now a member of. However, if they don't have the right role to view-roles then any query to check their role, will fail with a response of {"error":"HTTP 401 Unauthorized"}.

Which means, that if the user, is unable to actually check any roles at all to be able to perform the functions as listed above. Should the getByRealmUsersAndUserIdOrgsOrgIdRoles API always return a positive or negative response as to that specific user's role in an organization, but not a 401? Essentially validating that you aren't checking another user's roles, just your own. That way the rest of the checks on the profile can be completed. This would allow for a specific check on your own roles, but no one else.

pnzrr commented 1 year ago

@xgp not sure if you mean show the orgs nav item or the org itself on the orgs list page. Right now, I'm showing details as per the screenshot.

image

Since the "button" is the card, it will show like the card above. For the page, I assume this would need to be a redirect away.

The API at the moment will return 0 members without the view-members role. Did you want to do more here? view-organization is handled by either being able to click into the org for the org list page.

Only area to edit members is the drop-down context menu with the "edit roles" and "remove". The remove action is now disabled. Since you must have the view-members role to have the API return members, this should be sufficient.

image

Won't show without the view-roles roles. view-organization & view-members will already exclude the ability to see roles if not available.

image

Disabled the "edit roles" link in the members lists and roles drop down. Disabled all buttons on edit roles page if they got there somehow.

Won't show. We might want to consider the role lacking view. As in show things, but disabled?

Will not allow sending invitations via UI.

image

Will show.

Doesn't show button to go to page, disables verify button

image image

Hides card, disables button in settings

image
xgp commented 1 year ago

not sure if you mean show the orgs nav item or the org itself on the orgs list page. Right now, I'm showing details as per the screenshot

Good as is.

Since the "button" is the card, it will show like the card above

Should show card that cannot be clicked.

The API at the moment will return 0 members without the view-members role. Did you want to do more here?

No. This is fine.

Won't show. We might want to consider the role lacking view. As in show things, but disabled?

General rule would be to show, but disable. I want users to understand that they lack a permission, so that they can ask an "administrator" for access/help.

Everything else looks good. Let me know if I missed anything in need of clarification.

pnzrr commented 1 year ago

Made all items to be shown but disabled