Limit what admins can do #2424

Merged
merged 1 commit into from Jul 31, 2015

Projects

None yet

2 participants

@seanh
Contributor
seanh commented Jul 31, 2015

Fixes #2422

@seanh
Contributor
seanh commented Jul 31, 2015
@tilgovi
Contributor
tilgovi commented Jul 31, 2015

Totally fine but I'd call it AdminResource. The context for a request is a resource, the resource itself is just a resource, not a "context resource".

Sean Hammond Limit what admins can do
Add new AdminContextResource class to admin.py that gives the 'admin'
permission to requests with the 'group:admin' principal, configure the
admin routes to use it.

Remove the security.ALL_PERMISSIONS that 'group:admin' used to have on
the app and API root resources.

This means that admins (only) can use views with the 'admin' permission
and the AdminContextResource factory, but they don't have any special
permission to use other views (e.g. they can't edit or delete other
people's annotations anymore).
b2aaa1e
@seanh
Contributor
seanh commented Jul 31, 2015

@tilgovi Done

@tilgovi tilgovi merged commit 1ba106a into master Jul 31, 2015

3 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details
coverage/coveralls Coverage increased (+0.02%) to 62.248%
Details
@tilgovi
Contributor
tilgovi commented Jul 31, 2015

🚀

@tilgovi tilgovi deleted the limit-what-admins-can-do branch Jul 31, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment