Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add permission checks #625

Merged
merged 7 commits into from
Jan 15, 2022
Merged

Add permission checks #625

merged 7 commits into from
Jan 15, 2022

Conversation

sevein
Copy link
Member

@sevein sevein commented Nov 1, 2021
edited
Loading

This pull request introduces the concept of user roles:

  • Administrators - with the is_superuser flag enabled,
  • Managers - a Django group with all application permissions given,
  • Reviewers - a Django group with the approve_package_deletion permission),
  • Readers - any user that is authenticated; read-only access.

The new roles module provides some functions to associate these roles to application users. A new database migration ensures that the new groups are created and have the permissions linked, as well as migrating existing users so they are grante dthe Managers role automatically.

Permission checks have been added where needed, including the API. In particular, the package deletion approve/reject workflow is available for Reviewers, Managers and Administrators. Certain user interface elements are hidden from the user when they're not actionable due to lack of permissions, hence the updates in multiple templates.

Our supported authentication backends have been revisited to ensure that the migration to this new permission-role model is possible. To ensure backward compatibility, a new setting (SS_AUTH_DEFAULT_USER_ROLE="reader") has been added to automatically promote users to managers that would become read-only users otherwise, in the absence of proper configuration to match other roles. Additionally:

  • LDAP: the application will attempt to discover group membership in the directory, where the group names are "Administrators", "Managers" and "Reviewers" (see example) but they're also configurable,
  • Shibboleth: in addition to the existing preservation-admin entitlement, we've added preservation-manager and preservation-reviewer,
  • CAS: in addition to the existing AUTH_CAS_ADMIN_ATTRIBUTE{,_VALUE} vars, new settings CAS_MANAGER_ATTRIBUTE{,_VALUE} and CAS_REVIEWER_ATTRIBUTE{,_VALUE} have been added,
  • OIDC: all authenticated users will become readers - use SS_AUTH_DEFAULT_USER_ROLE if you want your users to a role with more privileges. Group membership could be identified via claims in the future.

Connects to archivematica/Issues#1486.
Build status: see last commit in Archivematica branch.

@sevein sevein force-pushed the dev/issue-1485-permissions-take-two branch 9 times, most recently from 491ed6d to adc572d Compare November 5, 2021 21:12
@sevein sevein force-pushed the dev/issue-1485-permissions-take-two branch 7 times, most recently from 93a13bb to f8d11e4 Compare November 17, 2021 15:52
@sevein sevein force-pushed the dev/issue-1485-permissions-take-two branch from f8d11e4 to e351c37 Compare December 20, 2021 11:53
@sevein sevein marked this pull request as ready for review December 20, 2021 11:57
replaceafill
replaceafill approved these changes Jan 11, 2022
View reviewed changes
Copy link
Member

@replaceafill replaceafill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great to me @sevein! I just left some minor observations/questions. Feel free to address them as convenient.

install/README.md Show resolved Hide resolved
storage_service/administration/forms.py Outdated Show resolved Hide resolved
storage_service/administration/forms.py Outdated Show resolved Hide resolved
storage_service/administration/forms.py Outdated Show resolved Hide resolved
storage_service/administration/templates/widgets/role_choice.html Outdated Show resolved Hide resolved
storage_service/locations/tests/test_api.py Outdated Show resolved Hide resolved
storage_service/locations/views.py Show resolved Hide resolved
storage_service/administration/views.py Outdated Show resolved Hide resolved
storage_service/templates/snippets/locations_table.html Outdated Show resolved Hide resolved
storage_service/templates/snippets/pipelines_table.html Outdated Show resolved Hide resolved
@sevein
Add permission checks
172de4c 
This commit introduces a permission model where authenticated users have
read-only access, but they can be promoted as reviewers, managers or
administrators - implemented as Django groups with permissions associated.

The database migration promotes existing users as managers unless they were
already administrators. Reviewers can accept/reject package deletion requests,
an action also available to managers and administrators.
@sevein sevein force-pushed the dev/issue-1485-permissions-take-two branch from d36eb8d to 172de4c Compare January 15, 2022 06:42
@sevein sevein merged commit d45d9f1 into qa/0.x Jan 15, 2022
@sevein sevein deleted the dev/issue-1485-permissions-take-two branch January 15, 2022 06:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@replaceafill replaceafill replaceafill approved these changes

@jraddaoui jraddaoui Awaiting requested review from jraddaoui

@sbreker sbreker Awaiting requested review from sbreker

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sevein @replaceafill