Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to have guest as default role #1414

Open
Tracked by #110
escoand opened this issue Dec 8, 2020 · 1 comment
Open
Tracked by #110

Unable to have guest as default role #1414

escoand opened this issue Dec 8, 2020 · 1 comment
Labels
bug Something isn't working docs This needs to be documented

Comments

@escoand
Copy link
Contributor

escoand commented Dec 8, 2020

Issue Summary
Sorry, but I still don't get how to set guest as default role for new users as requested in #1344 and implemented #1346.

Environment

  • OS: Linux
  • API version: 8.2.0
  • Deployment: Docker
  • Database: MongoDB
  • Server config:
    Auth enabled? Yes
    Auth provider? OpenID
    Customer views? Yes
  • web UI version: 8.2.0
  • CLI version: 8.2.0

To Reproduce

USER_ROLES = ["guest"]
USER_DEFAULT_SCOPES = ["write:alerts", "read:heartbeats", "read:blackouts", "read:customers"]
GUEST_DEFAULT_SCOPES = ["read:alerts", "read:customers"]

The new user correctly gets the guest role but with the permissions of USER_DEFAULT_SCOPES. Additionally the user role has no permissions anymore. So it seems I've renamed the user role to guest and overwritten the built in guest role.

Expected behavior
My initial idea was to have new users automatically created with guest role.
@satterly satterly added the bug Something isn't working label May 9, 2021
@satterly satterly added the docs This needs to be documented label Nov 13, 2021
@satterly satterly mentioned this issue Nov 13, 2021
Open
6 tasks
@satterly satterly modified the milestone: Release 9 Nov 14, 2021
@sigurdvaa
Copy link

With the config provided in this issue, the runtime config essentially looks like this:

USER_ROLES = ["guest"]
USER_DEFAULT_SCOPES = ["write:alerts", "read:heartbeats", "read:blackouts", "read:customers"]

GUEST_ROLES = ["guest"]
GUEST_DEFAULT_SCOPES = ["read:alerts", "read:customers"]

And here's a snippet of the logic used in the db backends, where matches is user.roles:

scopes = list()
for match in matches:
    if match in current_app.config['ADMIN_ROLES']:
        return ADMIN_SCOPES
    if match in current_app.config['USER_ROLES']:
        scopes.extend(current_app.config['USER_DEFAULT_SCOPES'])
    if match in current_app.config['GUEST_ROLES']:
        scopes.extend(current_app.config['GUEST_DEFAULT_SCOPES'])

So a new user will get the role guest and access scopes from both default lists, while the role user doesn't match either of them and gets none.

It's probably unexpected for most people that you can end up getting access scopes from both lists this way, or that you can remove all access scopes for the role user, so it might be prudent to revert some of these changes and make the builtin roles hardcoded again, and only have their scopes configurable. Or properly document this behaviour, which might be why the docs label has been added to this issue. 😃

A simple solution to this specific issue though, where OP wishes to change default role and continue to use all builtin roles, might be to introduce a new setting, SIGNUP_DEFAULT_ROLES = ["guest"], and use that when creating a new user, instead of USER_ROLES.

@satterly, do you have any input on how this should be solved? If not, I can make a PR and we can take it from there.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working docs This needs to be documented
Projects
Alerta Project
Status: 📝 Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@escoand @satterly @sigurdvaa