Add support for operator and manager roles #203
Conversation
ChrisMacNaughton
force-pushed
the
feature/user-permissions
branch
from
1fc638e to
19070a5
Compare
ChrisMacNaughton
force-pushed
the
feature/user-permissions
branch
2 times, most recently
from
bf64bc1 to
a930b69
Compare
Broadly, the new roles work as follows: The manager role is a role that manages users and groups, with the notable exception that a Manager cannot add or remove the Operator and Admin attributes on a group, nor add those groups to a user. In effect, this means that a Manager can only add or remove a useri from non-permission granting groups, or to the Manager group. The operator role is a role designed to help with management of EyeDP itself, granting no control of users not groups, but allowing changing Settings and Identity Service Providers. This means that an Operator can create and edit SAML or OpenID Connect Applications, and they can manage Certificates for the same, as well as updating Settings such as the application's base URI or templates for emails. Ad admin continues to have full permission for all activities. Closes: #199
igalic
left a comment
igalic
left a comment
There was a problem hiding this comment.
i need some clarification before i can actually review this, as i have never seen this construct before
| end | ||
|
|
||
| def ensure_user_is_authorized! | ||
| raise(ActionController::RoutingError, 'Not Found') and return \ |
There was a problem hiding this comment.
The return here is unnecessary but doesn't harm things, and it fits a general Rails pattern of ensuring that a web request isn't rendered twice.
The raise is basically saying: 404 not Found. When an ActionController::RoutingError is raised during a Rails request, the server will return with a 404 and the 404 page that's located in public/404.html.
Previously, this pattern was specifically used to guard the entire of the admin UI against any user who is not an admin, but is being expanded dramatically here to allow more kinds of users into parts of the admin UI.
igalic
left a comment
igalic
left a comment
There was a problem hiding this comment.
looks pretty good to me
thanks for all the explanations and for adding the documentation
|
|
||
| ### Operators | ||
|
|
||
| An operator is a type of user that can manage EyeDP itself, but cannot manage |
There was a problem hiding this comment.
can you give me a one sentence summary of what it means to manage EyeDP in this sense?
like, add and remove applications and links? auth backends? etc…
|
|
||
| def model_params | ||
| p = params.require(:group).permit( | ||
| def model_params # rubocop:disable Metrics/MethodLength |
There was a problem hiding this comment.
seriously? this method is too long according to rubocop?? wtf.
| def roles | ||
| @roles ||= begin | ||
| %i[admin manager operator].filter do |name| | ||
| send(name) |
There was a problem hiding this comment.
can you explain what happens here?
you're sending each of :admin, :manager, :operator messages to… where exactly?
There was a problem hiding this comment.
This is basically the same as:
@roles ||= begin
roles = []
[:admin :manager :operator].each do |name|
roles << name if self.send(name)
end
roles
endThere was a problem hiding this comment.
and, the thing.send method is a Ruby way of calling a method on a thing by a stringy name, it's effectively the same as saying:
roles << :admin if self.admin
README.md
Outdated
|
|
||
| ### Managers | ||
|
|
||
| An operator is a type of user that can manage users and groups, but cannot |
There was a problem hiding this comment.
The word operator should be replaced with manager.
| :password, :last_activity_at, group_ids: [] | ||
| ) | ||
| p[:group_ids] ||= [] | ||
| # A Manager cannot add a user to an operator or admin group |
There was a problem hiding this comment.
Should this comment be moved inside the condition?
Not 100% sure how the coding/commenting style is defined, but the pluck action is more related to the comment than the manager condition itself.
There was a problem hiding this comment.
Good catch, will tidy this
| <%= nav_link "#{fa_icon("tasks")} Permissions".html_safe, admin_permissions_path %> | ||
| <%= nav_link "#{fa_icon("tasks")} Permissions".html_safe, admin_permissions_path %> | ||
| <%- end %> | ||
| <%= nav_link "#{fa_icon("commenting")} Audit Log".html_safe, admin_audits_path %> |
There was a problem hiding this comment.
Is the audit log relevant for a manager?
Are there details leaked outside of the manager or operator scope?
There was a problem hiding this comment.
That's a good point, it's probably worth restricting the audit log to just admins.
Broadly, the new roles work as follows:
The manager role is a role that manages users and groups, with the
notable exception that a Manager cannot add or remove the Operator
and Admin attributes on a group, nor add those groups to a user.
In effect, this means that a Manager can only add or remove a useri
from non-permission granting groups, or to the Manager group.
The operator role is a role designed to help with management of
EyeDP itself, granting no control of users not groups, but allowing
changing Settings and Identity Service Providers. This means that
an Operator can create and edit SAML or OpenID Connect Applications,
and they can manage Certificates for the same, as well as updating
Settings such as the application's base URI or templates for emails.
Ad admin continues to have full permission for all activities.
Closes: #199