New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent group admins from changing their own role #4821
Conversation
I think it's not quite right. Originally, the problem came from the cases when someone was adding organization creator(himself, probably) as an organization member with access level different from I'm strongly against restricting operations with my own account. If I decided that I don't want to be an admin anymore - I should be able to change my membership level at any time. |
The reason I implemented it like this is that both creating and updating members is done through That said, I do agree with the general sentiment that this is not an optimal solution. One additional option that comes to mind would be to add a hidden parameter to the edit dialog that would skip the check, which would allow for self-edits but not self-creates. |
Whenever it's possible, all changes should be API-driven. Addition of hidden field will resolve the problem in UI, but direct API calls still vulnerable to this problem. Do you really need to separate calls inside |
Sorry, mixed the action name with the template name there. In the PR I'm doing the actual checking in the The root of the issue, as I see it, is having both create and update in a single action, where they should be two. If they were separated, this couldn't be an issue. |
Let's focus on the desired behavior first. I/e, now we need to decide WHAT we are expecting from this functionality, not HOW we are going to implement this. And, when the workflow is agreed, only then we need to work out a solution |
No argument there. The expected behavior in the bug is worded as "Admin of organization should not be able to add himself to organization members", is this correct? Currently updating and creating memberships are identical action calls, so implementing the restriction as written also stops admins from updating themselves (current PR). If we want to restrict one and not the other, there needs to be a way to tell them apart, whatever it may be. Lastly, there need to be some changes to the UI so it doesn't display error-producing actions (like autocomplete the admin himself in the new member dialog if it would produce an error. |
I see-e-e, sorry - i've misread original issue and all the time was incorrectly interpreting the problem. Now it has a lot of sense. Could you please fix those issues from CircleCI:
and i'll merge this PR |
Sure, though the second one isn't even from this PR :) |
🎆 Thanks |
Fixes #4560
This is one way to deal with the issue. I tried to make the changes as small as possible while still avoiding offering error-producing interaction paths to the user. I'm not entirely confident all the changes here have been implemented in the most elegant and style-preserving fashion, especially the
ignore_self
frontend part, but at the very least it works in our environment to counter the issue.Proposed fixes:
Features:
Please [X] all the boxes above that apply