Uploaded image for project: 'mod-permissions'
  1. mod-permissions
  2. MODPERMS-157

Check assignment permissions for operating user

    XMLWordPrintable

Details

    • Story
    • Status: Closed (View Workflow)
    • P2
    • Resolution: Done
    • None
    • 6.0.0
    • None
    • CP: sprint 125, CP: sprint 126
    • 5
    • Core: Platform

    Description

      mod-permissions change to fix FOLIO-2582.

      This PR makes a check against permissions when they are added to a user and when permissions (sets) are updated.

      The behavior until now has been that if the operating user had perms.users.item.post, perms.users.item.put, any permission could be granted to the request user (which may be the same as the operating user). Also, if operating user had permission perms.permissions.item.put, permissions for users could also be changed.

      This PR will change that, so that (by default), only permissions that are already owned by the operating
      user can be assigned to the request user (the user in the path component).

      The check works as follows.

      1. If no user id , no operating user (basically no token). So an unauthenticated system, the operation is allowed.

      2. if permission starts with okapi. and operating user permissions and module permissions doesn't contain perms.users.assign.okapi , the operation is denied.

      3. if the new permission is mutable and operating user permissions and module permissions doesn't contain perms.users.assign.immutable, the operation is denied.

      4. if the new permission is immutable and operating user permissions and module permissions doesn't contain perms.users.assign.mutable, the operation is denied.

      5. otherwise, the operation is allowed.

      The desired permissions perms.users.assign.immutable , perms.users.assign.mutable, perms.users.assign.okapi are not part of perms.all.

      TestRail: Results

        Attachments

          Issue Links

            relates to

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. FOLIO-2582 Privilege escalation tenant admins with permissions.all to okapi.all

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Task - A task that needs to be done. MODPERMS-159 Set SNAPSHOT version to 6.0.0

            • TBD - To be determined
            • Closed

            Task - A task that needs to be done. FOLIO-3321 Update create-tenant-admin role to use new perms.users.assign* permissions

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODEXPS-61 User creation fails due to lack of permissions

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODINREACH-210 Cannot create user due to lack of permissions

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODPERMS-160 Migrate assignment permissions

            • TBD - To be determined
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. MODPERMS-172 permission assign: lax operating user check

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODPERMS-174 modulePermissions not read correctly

            • TBD - To be determined
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. MODPUBSUB-209 Missing permission for pubsub-user (System)

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Story - Created by Jira Software - do not edit or delete. Issue type for a user story. UIU-2542 Create permission sets for the perms.users.assign perms

            • P2 - normal priority level, must be included in the current development cycle
            • Draft

            Bug - A problem which impairs or prevents the functions of the product. UIU-2549 Include perms.users.assign.mutable/immutable in ui-users.editperms

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            New Feature - New feature requests UXPROD-3614 Permissions Management Improvements for Morning Glory

            • TBD - To be determined
            • In Refinement
            mentioned in

            Page Loading...

            Page Loading...

            Page Loading...

            Activity

              People

                adam Adam Dickmeiss
                adam Adam Dickmeiss
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases