Uploaded image for project: 'mod-permissions'
  1. mod-permissions
  2. MODPERMS-157

Check assignment permissions for operating user

    XMLWordPrintable

Details

    • Story
    • Status: Closed (View Workflow)
    • P2
    • Resolution: Done
    • None
    • 6.0.0
    • None
    • CP: sprint 125, CP: sprint 126
    • 5
    • Core: Platform

    Description

      mod-permissions change to fix FOLIO-2582.

      This PR makes a check against permissions when they are added to a user and when permissions (sets) are updated.

      The behavior until now has been that if the operating user had perms.users.item.post, perms.users.item.put, any permission could be granted to the request user (which may be the same as the operating user). Also, if operating user had permission perms.permissions.item.put, permissions for users could also be changed.

      This PR will change that, so that (by default), only permissions that are already owned by the operating
      user can be assigned to the request user (the user in the path component).

      The check works as follows.

      1. If no user id , no operating user (basically no token). So an unauthenticated system, the operation is allowed.

      2. if permission starts with okapi. and operating user permissions and module permissions doesn't contain perms.users.assign.okapi , the operation is denied.

      3. if the new permission is mutable and operating user permissions and module permissions doesn't contain perms.users.assign.immutable, the operation is denied.

      4. if the new permission is immutable and operating user permissions and module permissions doesn't contain perms.users.assign.mutable, the operation is denied.

      5. otherwise, the operation is allowed.

      The desired permissions perms.users.assign.immutable , perms.users.assign.mutable, perms.users.assign.okapi are not part of perms.all.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                adam Adam Dickmeiss
                adam Adam Dickmeiss
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases