Project

General

Profile

Actions

Feature #10900

open

Ship all built-in roles as read-only and provide a way to clone roles

Added by Lukas Zapletal about 9 years ago. Updated almost 9 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Users, Roles and Permissions
Target version:
-
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

We currently do not support adding permissions to existing roles:

role "Existing Role", [:existing_perm, :new_perm]

In this case, new_perm is simply ignored. We need this in Discovery.


Related issues 2 (0 open2 closed)

Related to Discovery - Bug #10898: Auto-provision a host via Discovery_Manager role rasies undefined methodClosedLukas Zapletal06/22/2015Actions
Related to Foreman - Feature #11206: Provide a way to list default role permissions for pluginsClosedLukas Zapletal07/24/2015Actions
Actions #1

Updated by Lukas Zapletal about 9 years ago

  • Related to Bug #10898: Auto-provision a host via Discovery_Manager role rasies undefined method added
Actions #2

Updated by Marek Hulán about 9 years ago

  • Category set to Plugin integration
Actions #3

Updated by Lukas Zapletal about 9 years ago

  • Subject changed from Role DSL does not support adding permissions to existing roles to Add permission validator for roles
  • Category changed from Plugin integration to Security

Ok this is a feature. We do not want to add permissions back when roles are modified by
administrators. Therefore users need to add the permissions themselves.
Until roles are read only or we have some kind of validation that would
ask admin to add missing permission, that's the only way I think.

We can only make this easier to administrators by providing some kind of validation to find missing permissions. This could be a rake task maybe: permissions:default_validate and permissions:default_reset

Actions #4

Updated by Lukas Zapletal about 9 years ago

Alternatively, if permissions are never deleted from database but "disabled", then we can add them easily and also validation woudl be trivial.

Actions #5

Updated by Lukas Zapletal almost 9 years ago

  • Subject changed from Add permission validator for roles to Ship all built-in roles as read-only and provide a way to clone roles

This task will need to make sure all the roles in existing installation are correct before making them read-only. Perhaps via a migration with user explicitly confirming if there were some permission added back.

Validator rake task was shipped with https://github.com/theforeman/foreman/commit/758d57a3c067dbd07f5bfbd66617b6865dab9d66 and it will be useful for detecting incorrect permissions after we implement this feature.

Actions #6

Updated by Dominic Cleal almost 9 years ago

  • Related to Feature #11206: Provide a way to list default role permissions for plugins added
Actions #7

Updated by Dominic Cleal almost 9 years ago

  • Category changed from Security to Users, Roles and Permissions
Actions

Also available in: Atom PDF