Preventing system users being removed from system groups #1733
Conversation
|
Works as expected. However I've come across a related issue: Attempting to rename user |
|
@manics try now, you should't be able to edit name |
|
One last thing (sorry). In the group admin page there's nothing to stop an admin user removing themself from the |
|
/cc @mtbc for comment re: the |
|
The |
I think yesterday's error was an |
|
Hmmm..... a 500 seems odd either way. But if it wasn't an |
|
Those should prevent 'root' and current user from removing from 'system' either via experimenter or group edit forms |
|
Testing root:
Testing as admin_user:
|
|
Tested both scenarios - all works as expected. Looks OK to merge. |
|
any comments on the new method? @knabar @chris-allan @will-moore @cneves |
| @@ -74,10 +74,13 @@ | |||
| }; | |||
|
|
|||
| // Since we want to disable removal of 'system' group (id=0) from chosen, this hides the 'X' | |||
| var admin_groups = [{% for x in admin_groups %}'{{ x|escapejs }}',{% endfor %}] | |||
There was a problem hiding this comment.
Having a trailing comma may blow up in IE before 9 - don't have a browser installed to test it right now though
http://stackoverflow.com/questions/7246618/trailing-commas-in-javascript
There was a problem hiding this comment.
How about
from django.utils import simplejson
list = simplejson.dumps(LIST)
var JS_LIST = {{ list|safe }};
|
General question: do we want other admin to modify the password of root? |
| @return: Current Experimenter | ||
| @return: Generator of L{BlitzObjectWrapper} subclasses | ||
| """ | ||
| return self.getObject("ExperimenterGroup", 0).getMembers() |
There was a problem hiding this comment.
Instead of hard-coding 0, you could use conn.getAdminService().getSecurityRoles().systemGroupId
|
The behaviour is fine - can't remove myself from system or user groups. Still a bit confusing to newbies to see "system" as a group that is added / removed according to the Administrator checkbox - but I guess we can't hide it from the list of groups, since some users are only in "system" and their data is in system group too. |
|
that should be final commit |
|
@dpwrussell: it should fix ticket http://trac.openmicroscopy.org.uk/ome/ticket/11693 |
|
Conflicting PR.Removed from build OMERO-merge-develop#497. See the console output for more details. |
|
This is conflicting with the unit support PR. |
|
Bug:
|
|
That is not related as the PR hasn't been merged because of the conflict |
|
Conflicting PR.Removed from build OMERO-merge-develop#498. See the console output for more details. |
|
Conflicting PR.Removed from build OMERO-merge-develop#499. See the console output for more details. |
additional changes to PR #565
…dmin::getSecurityRoles
|
Finally, good to merge :) |
|
Re-running travis job. |
|
Looks good to merge |
…oup-change-restrictions Preventing system users being removed from system groups
|
--no-rebase Following #1723 |
| 'owners': ownerIds, 'members':memberIds, 'experimenters':experimenters}, | ||
| group_is_current_or_system=group_is_current_or_system) | ||
| admins = [conn.getAdminService().getSecurityRoles().systemGroupId] | ||
| if long(gid) in system_groups and conn.isAdmin: |
There was a problem hiding this comment.
Was just reviewing this code as I had to fix a merge conflict...
I think you should use rootId instead of systemGroupId here, since you want the ID of the root user
admins = [conn.getAdminService().getSecurityRoles().rootId]
Also, it looks like you didn't call the conn.isAdmin: method (missing brackets) but this shouldn't be needed anyway as the login_required decorator already checks that only Admins can view this page.
I'll make these changes in my conflict resolution, unless I'm missing something?
Issue spotted in #1723. Requires additional changes to PR #565
To test it check if you can't remove root or guest from system groups in Webadmin.