Ship all built-in roles as read-only and provide a way to clone roles
We currently do not support adding permissions to existing roles:
role "Existing Role", [:existing_perm, :new_perm]
In this case, new_perm is simply ignored. We need this in Discovery.
#1 Updated by Lukas Zapletal almost 8 years ago
- Related to Bug #10898: Auto-provision a host via Discovery_Manager role rasies undefined method added
#2 Updated by Marek Hulán almost 8 years ago
- Category set to Plugin integration
#3 Updated by Lukas Zapletal almost 8 years ago
- Subject changed from Role DSL does not support adding permissions to existing roles to Add permission validator for roles
- Category changed from Plugin integration to Security
Ok this is a feature. We do not want to add permissions back when roles are modified by
administrators. Therefore users need to add the permissions themselves.
Until roles are read only or we have some kind of validation that would
ask admin to add missing permission, that's the only way I think.
We can only make this easier to administrators by providing some kind of validation to find missing permissions. This could be a rake task maybe: permissions:default_validate and permissions:default_reset
#4 Updated by Lukas Zapletal almost 8 years ago
Alternatively, if permissions are never deleted from database but "disabled", then we can add them easily and also validation woudl be trivial.
#5 Updated by Lukas Zapletal almost 8 years ago
- Subject changed from Add permission validator for roles to Ship all built-in roles as read-only and provide a way to clone roles
This task will need to make sure all the roles in existing installation are correct before making them read-only. Perhaps via a migration with user explicitly confirming if there were some permission added back.
Validator rake task was shipped with https://github.com/theforeman/foreman/commit/758d57a3c067dbd07f5bfbd66617b6865dab9d66 and it will be useful for detecting incorrect permissions after we implement this feature.
#6 Updated by Dominic Cleal almost 8 years ago
- Related to Feature #11206: Provide a way to list default role permissions for plugins added
#7 Updated by Dominic Cleal almost 8 years ago
- Category changed from Security to Users, Roles and Permissions