TO API - should not be able to create / update a user with a higher role than your role #875
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Currently, to create or update a user thru the TO API, you have to have the admin or operations role, however, going forward your role will not dictate your ability to create/update users but rather the capabilities attached to your role.
Going forward roles can be arbitrarily created and attached to whatever capabilities the administration of the system desires.
For example, roles could look like this:
In this example, if the foo role has the user-write capability, anyone with the foo role can create or update users which means they could create a user and give them the admin role and thus sidestepping roles/capabilities altogether.
When creating / updating users, you should never be able to assign a role with a higher priv level than your role's priv level.
The text was updated successfully, but these errors were encountered: