New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom Entity Permissions: Easily add new permissions to roles after initialization #206

Closed
HeyJoel opened this Issue May 8, 2018 · 1 comment

Comments

Projects
None yet
1 participant
@HeyJoel
Copy link
Member

HeyJoel commented May 8, 2018

Problem:

Cofoundry only sets up permissions for roles the first time they are created. This is to prevent conflicts with any permissions changes that happen in the UI after a site is deployed. You can programmatically update roles from code by using the RegisterDefinedRolesCommand command (see managing roles in code documentation), but that could be heavy handed when you just want to add one or two new permissions.

The main problem comes when you add a new custom entity because if roles have already been generated in the db, no permissions for the custom entity will be added (e.g. read permission for the anonymous role). This can be a little confusing, and also may also go undetected if the developer is logged into the admin panel while developing (super admin has permissions to everything).

Issue #205 was caused by this problem.

Considerations

There's a number of scenarios we have to consider when designing a solution:

  • In simple scenarios roles won't be given much consideration and devs will expect adding new custom entities to just work.
  • In some scenarios it would not be appropriate to add new permissions to roles by default. Some sites are mostly restricted by login accounts and it wouldn't be good to grant permissions to the anonymous roles by default.
  • Simple role management will be the most used scenario and we should endeavor to make that out-the-box scenario easiest, opting in to more complex config for more complex scenarios.

Ideas

  • We could have a config flag that runs RegisterDefinedRolesCommand with UpdateExistingRoles set to true on every update. This would overwrite any role changes made through the admin UI, so maybe this is more of a 'code managed roles' only mode where admin UI is disabled.
  • We could have permissions initializers, which work much like role initializers but based on a permission or set of permission (e.g. for a custom entity). This could be quite verbose.
  • We could change the default behavior to always apply role initializers for any new permissions being added to the system. This is probably the best/most natural solution if it's possible
  • Add the ability to configure permissions on the custom entity definition - e.g. a setting to allow anonymous access or a function to run to decide whether to grant permissions.

@HeyJoel HeyJoel added the enhancement label May 8, 2018

@HeyJoel HeyJoel added this to the 0.4 milestone May 8, 2018

@HeyJoel HeyJoel changed the title Custom Entity Permissions: Find a way to add easily read access to roles by default Custom Entity Permissions: Easily add new permissions to roles after initialization May 8, 2018

HeyJoel added a commit that referenced this issue Jul 6, 2018

Fixed #206 Custom Entity Permissions: Easily add new permissions to r…
…oles after initialization. Role initializers are now used for any new permissions being added to the system.
@HeyJoel

This comment has been minimized.

Copy link
Member

HeyJoel commented Jul 6, 2018

Fixed in 0.4. Role initializers are now used for any new permissions being added to the system.

@HeyJoel HeyJoel closed this Jul 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment