You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We're creating new permissions which allow for assigning of specific roles, instead of the previous permission which allow assigning any role, or any team role. The mutation used to assign roles must be updated to check the new permissions.
🕵️ Details
Now, in the implementation of the updateUserRoles mutation, we will have to carefully check if the user has the appropriate permission for EACH role which is being attached or detached from the user. This will be particularly complex in the case of sync, where you have to inspect the user's current roles and compare them to the sync array, to see which ones are being removed.
QUESTION: It may actually be easier to remove the sync operation entirely from the mutation, and update the client code to use attach and detach exclusively. (sync also makes it dangerously easy to remove roles by accident.)
I think we can also deprecate/remove updateUserTeamRoles mutation and code, since that was created mostly to make permission checking easier, and we'll use a totally new strategy now.
QUESTION: Depending on how we implemented #10302, we may also need to update how the team is passed into a role assignment. If Team is being abstracted away in the schema, then we can't get the teamId of a Pool or Community to pass in. Do we instead let it accept a Teamable id? or add a teamId field to Teamable interface?
🙋♀️ Proposed Solution
Note: Awkwardly, the update-team-processOperatorMembership permission has to give someone in a Community-team permission to assign someone to a Pool-team, if the Pool belongs to the Community.
✅ Acceptance Criteria
A set of assumptions which, when tested, verify that the debt was addressed and expected functionality has not been affected.
Assigning roles through the /admin/teams/:id/members page continues to function (though api may change behind the scenes). It can be used by Platform Admins and Community Managers.
Assigning roles through the /admin/users/:id/edit page continues to function (though api may change behind the scenes). Community Managers can assign or remove (legacy) team-based roles, and Platform Admins can assign or remove all (legacy) roles. (New Community Admin, Community Recruiter, and Process Operator roles can be ignored here for now.)
Role assignment uses the new update-any/team-<role>Membership permissions
adding or removing Platform Admin role requires update-any-platformAdminMembership
adding or removing Community Admin role requires update-any-communityAdminMembership or update-team-communityAdminMembership in the correct community team
adding or removing Community Recruiter role requires update-any-communityRecruiterMembership or update-team-communityRecruiterMembership in the appropriate community team
adding or removing Process Operator membership requires update-any-processOperatorMembership or update-team-processOperatorMembership in the pool's team OR the pool's community's team
adding or removing Community Manager or Request Responder roles (legacy roles) require assign-any-role permission (will be removed in cleanup)
adding or removing Pool Operator legacy role requires assign-any-teamRole permission (will be removed in cleanup)
Its possible to use a mutation to assign new Community and Pool based roles
phpunit tests
🛑 Blockers
Issues which must be completed before this one.
The content you are editing has changed. Please copy your edits and refresh the page.
Assigning roles through the /admin/teams/:id/members page continues to function (though api may change behind the scenes). It can be used by Platform Admins and Community Managers
Verify Applicant users can't use the above page
Assigning roles through the /admin/users/:id/edit page continues to function
Community Managers can assign or remove (legacy) team-based roles,
Platform Admins can assign or remove all (legacy) roles.
New Community Admin, Community Recruiter, and Process Operator roles can be ignored here for now.
adding or removing Platform Admin role requires update-any-platformAdminMembership
adding or removing Community Admin role requires update-any-communityAdminMembership or update-team-communityAdminMembership in the correct community team
adding or removing Community Recruiter role requires update-any-communityRecruiterMembership or update-team-communityRecruiterMembership in the appropriate community team
adding or removing Process Operator membership requires update-any-processOperatorMembership or update-team-processOperatorMembership in the pool's team OR the pool's community's team
adding or removing Community Manager or Request Responder roles (legacy roles) require assign-any-role permission (will be removed in cleanup)
adding or removing Pool Operator legacy role requires assign-any-teamRole permission (will be removed in cleanup)
Its possible to use a mutation to assign new Community and Pool based roles
♻️ Debt/Refactor
We're creating new permissions which allow for assigning of specific roles, instead of the previous permission which allow assigning any role, or any team role. The mutation used to assign roles must be updated to check the new permissions.
🕵️ Details
Now, in the implementation of the updateUserRoles mutation, we will have to carefully check if the user has the appropriate permission for EACH role which is being attached or detached from the user. This will be particularly complex in the case of
sync
, where you have to inspect the user's current roles and compare them to the sync array, to see which ones are being removed.QUESTION: It may actually be easier to remove the
sync
operation entirely from the mutation, and update the client code to use attach and detach exclusively. (sync also makes it dangerously easy to remove roles by accident.)I think we can also deprecate/remove updateUserTeamRoles mutation and code, since that was created mostly to make permission checking easier, and we'll use a totally new strategy now.
QUESTION: Depending on how we implemented #10302, we may also need to update how the team is passed into a role assignment. If Team is being abstracted away in the schema, then we can't get the teamId of a Pool or Community to pass in. Do we instead let it accept a Teamable id? or add a
teamId
field to Teamable interface?🙋♀️ Proposed Solution
Note: Awkwardly, the
update-team-processOperatorMembership
permission has to give someone in a Community-team permission to assign someone to a Pool-team, if the Pool belongs to the Community.✅ Acceptance Criteria
A set of assumptions which, when tested, verify that the debt was addressed and expected functionality has not been affected.
/admin/teams/:id/members
page continues to function (though api may change behind the scenes). It can be used by Platform Admins and Community Managers./admin/users/:id/edit
page continues to function (though api may change behind the scenes). Community Managers can assign or remove (legacy) team-based roles, and Platform Admins can assign or remove all (legacy) roles. (New Community Admin, Community Recruiter, and Process Operator roles can be ignored here for now.)update-any/team-<role>Membership
permissionsupdate-any-platformAdminMembership
update-any-communityAdminMembership
orupdate-team-communityAdminMembership
in the correct community teamupdate-any-communityRecruiterMembership
orupdate-team-communityRecruiterMembership
in the appropriate community teamupdate-any-processOperatorMembership
orupdate-team-processOperatorMembership
in the pool's team OR the pool's community's teamassign-any-role
permission (will be removed in cleanup)assign-any-teamRole
permission (will be removed in cleanup)🛑 Blockers
Issues which must be completed before this one.
Blocked By
The text was updated successfully, but these errors were encountered: