New flag to propagate group perm changes #858
Conversation
|
Can I request that we invert this behavior? From previous discussion, it sounded to me like this wants to be the new default behavior. I'd request that the flag be renamed |
|
@hkethi002 , @kofalt - @gsfr and I were discussing this on Friday, unfortunately it's not this simple. This would do a replace of the projects' permission with that of the group permissions. Instead, the expected behavior is that the specific addition or change would be propagated through the hierarchy. For example, group permissions are still supposed to be a set of permissions that are applied by default to a new project. After that, permissions might differ wildly from project to project in the same group. If one project decides to add a user to their project's permissions, a change here will wipe their permission to that project. It is more likely they would want to add a new user to all existing projects in a group, or make a user an admin of all existing projects, rather than "reset" all projects to the state of the group's permissions list. Unfortunately the "correct" behavior for pushing changes is still under discussion. |
|
Let's check that my understanding is correct:
A) Is the above list accurate? |
|
A) #2 is inaccurate as this feature as it currently works in this PR is not the requested behavior and is not really a "mid-step" to requested behavior. |
|
Given your response to A, is the intention that this PR will change significantly before being merged? If not, will we use this feature in the web UI, or just leave it as an admin-ish feature? Re: C, I'll probably omit it for now then :) |
|
It will have to change, yes. Or at least also support only applying the change in the request body. And the web UI is the expected client that would be using this endpoint. The envisioned UI would have a "propagate"* button next to each item in the list of permissions, and maybe a global one at the top that does what this PR currently does. Just to be clear, on Friday I was originally writing a change to do exactly what's in this PR, but the nuance of not wanting to clear project specific permissions was realized and development was put on hold. @hkethi002 we can discuss the best way to cleanly add the requests above to what is here, that should cover all possible functionality requested for this endpoint. |
hkethi002
force-pushed
the
group-perm-push
branch
2 times, most recently
from
c0d042f to
2528f32
Compare
hkethi002
force-pushed
the
group-perm-push
branch
from
2528f32 to
8418ea3
Compare
|
@hkethi002 mind writing a few example requests and how they would change the underlying projects? |
api/dao/hierarchy.py
Outdated
| elif oper == 'DELETE': | ||
| config.db.projects.update_many({'group': _id, 'permissions._id' : update}, {'$pull' : {'permissions': {'_id': update}}}) | ||
| else: | ||
| raise APIStorageException("Cannot propagate {} operation".format(oper)) |
There was a problem hiding this comment.
Could you reuse the function below and set the query and update commands based on what you would do here? I'd prefer reusing complicated hierarchy functions when possible.
hkethi002
force-pushed
the
group-perm-push
branch
3 times, most recently
from
eda3cca to
f1922b4
Compare
hkethi002
force-pushed
the
group-perm-push
branch
from
f1922b4 to
4e832d7
Compare
hkethi002
force-pushed
the
group-perm-push
branch
from
3784b38 to
3ccb469
Compare
|
Changes look good, thanks! |
3 participants
Fixes #601
Changes
/groups/{GroupId}/permission?propagate=truewill now propagate permission changes down hierarchyPOSTwill add the permission to all of that group's projects that doesn't have that user's permission already, projects that do already have it are updated to the new accessPUTandDELETEwill update and delete that group's projects that already have the user's permission and won't affect projects without the user's permission.Review Checklist