Organization admin should he able to work with full multitenancy
|Assigned To:||Marek Hulán|
|Category:||Organizations and Locations|
|Target version:||Team Marek Iteration 25|
|Found in release:||Pull request:||https://github.com/theforeman/foreman/pull/4917|
|Velocity based estimate||-|
Right now the org admin works "by accident". That works in UI and for API the similar can be achieved by #16363. But in ideal case, available organizations should work based on view_organizations and assign_organizations permissions. While the feature today is limited to a single organization, we should support delegation for multiple organizations.
Reproducing steps (in both UI and API)
0. create a user with org admin role assigned to 2 organizations
1. try creating a new domain
2. it will always fail without any error message in UI, the issue is in fact that the taxonomy assignment is disallowed until user gets view_organizations and assign_organizations permissions
- After gets Org admin role (which is assigned to one or more orgs) and he's assigned to these organizations, they can create/edit resources in these.
- This means organization filters need to be assignable to organizations (requires scoped_search definition)
Fixes #21343 - support multiple orgs supported for non-admin users
- Fixes #21343 - support multiple orgs supported for non-admins
This adds a full support for taxonomies in API for non-admin users. It
fixes the issue with dirty associations module that only track _ids
change. It also makes the nil a valid value for organization_id and
location_id parameters which set "Any context" explictly, so user can
override default context to any. Finally it updates the org admin role
to have permissions to see and edit organizations. That required an
enforcement of taxonomies that are being set as parent as well as
taxonomy filters being searchable by taxonomy_id. So the filter for
e.g. organzations can be correctly scoped for org admin too.