-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding a user to the superuser-access role locks out from viewing all unregistered users #71
Comments
cc: @inveniosoftware/triagers |
This is sort of feature, since it's documented: Implying that consequently, if a user or role is attached then nobody but the user or role can perform the action. However as @jacquerie notes, in the normal context of a webserver, and digital library, it's a standard to have an admin user, which should not imply that any other user is then forbidden to perform the given action. That said: what about changing the default behavior for certain actions? (This was actually the case on Invenio1, where out-of-the-box we were shipping default sensible authorizations with either |
Hmm, maybe there should be a default 'public' action/role registered for some of the actions (like viewing a record). |
You can allow certain action to all users (sadly not available via CLI yet). |
FYI I am about to start working on improving the cli. Please see comments in #73. |
Since #73 has been merged one can explicitly grant access for anybody: $ flask access allow <ACTION> any |
Minimal reproduction: https://github.com/jacquerie/invenio-records-ui/blob/40ecddfe45c1a5fc17b87fdb73be8c060912580d/examples/permsapp.py
When visiting
/records/1
as an unregistered user one gets a login page, rather than the record.I understand that this is expected behaviour given the code, but I want to argue that is not reasonable behaviour given the objective of the library.
Locking out from viewing all unregistered users when a superadmin exists is reasonable behaviour when we are talking about files on a machine: if a
sudo
user exists, by default all files should LOCK access by guests.This is not reasonable when we are talking about a web server: the mere fact that an admin exists should NOT LOCK access by guests.
Applications built using Invenio are more like web servers, so by default should have the latter behaviour.
CC: @jmartinm @david-caro @kaplun
The text was updated successfully, but these errors were encountered: