Restrict member removal through ACLs

In some use-cases managers could be allowed to add users to a role/group but not to remove other users from it.

One suggestion was to add a «delete» right separated from the «write» right in the ACLs. One problem with this is it means managers can’t remove values they added themselves. Also we’ll need to migrate existing ACLs, and to decide what this «delete» right means for monovaluated attributes. Maybe an other solution would be to look into rights on the user to decide if it can be removed or not by a manager.

Hello,

as discussed i'am in favour of a delete right that seems more consistant and is more generic.

The issues we saw was :

• how to handle single value

in my reasoning this delete right is a generic right that can be remove when one doesnt want people to remove entries aka: making them blank in a mono valuated attribute

• how to handle multivalue

in my reasoning this delete right is a generic right that can be remove when one doesnt want people to remove entries aka: removing entries in the case of multivaluated

• how to migrate acl

we could add the delete rights on all acl when migrating

Cheers

By bmortier on 2017-11-27T21:06:38 (imported from GitLab)

Hello,

we really need an answer to this. must be discussed on monday

Cheers

By bmortier on 2017-11-27T21:06:46 (imported from GitLab)

So the chosen solution was to add ACLs on user side for putting a user in a group/role. This means there will be ACLs on groups&roles tab with fields groupsMembership and rolesMembership and a manager will need write rights on those fields in order to be able to put a user in a group/role.

This is postponed to 1.3 as in the mean time #5625 will be used instead by using templates to put users in groups/roles.

(from redmine: written on 2017-06-19)

By Côme Chilliet on 2017-09-02T15:37:59 (imported from GitLab)

created branch 5570-restrict-member-removal-through-acls

By Côme Chilliet on 2017-10-11T10:05:45 (imported from GitLab)

mentioned in merge request !41

By Côme Chilliet on 2017-10-11T10:05:46 (imported from GitLab)

mentioned in commit 6b4d47d7

By Côme Chilliet on 2017-10-11T10:09:38 (imported from GitLab)

added 2h of time spent

By Côme Chilliet on 2017-10-11T12:24:15 (imported from GitLab)

see infra/automated-testing#3

By Côme Chilliet on 2017-10-11T13:39:59 (imported from GitLab)

added To Be Tested label

By Côme Chilliet on 2017-10-11T13:40:00 (imported from GitLab)

created branch 5570-restrict-member-removal-through-acls

By Côme Chilliet on 2017-10-25T07:31:17 (imported from GitLab)

mentioned in merge request !59

By Côme Chilliet on 2017-10-25T07:31:19 (imported from GitLab)

mentioned in commit 53853c9d

By Côme Chilliet on 2017-10-25T07:33:25 (imported from GitLab)

added 30m of time spent

By Côme Chilliet on 2017-10-25T09:11:57 (imported from GitLab)

changed the description

By bmortier on 2017-11-27T21:06:29 (imported from GitLab)

added Changed label

By bmortier on 2017-12-11T14:19:44 (imported from GitLab)

added Added and removed Changed labels

By bmortier on 2017-12-11T14:20:03 (imported from GitLab)

removed Added label

By bmortier on 2017-12-14T09:14:44 (imported from GitLab)

The selenium tests are done (https://gitlab.fusiondirectory.org/automated-testing/automated-testing/issues/3) and they were successfull (https://jenkins.fusiondirectory.org/view/Selenium-Test/job/Selenium-Tests-Generic/plugin=core,vminfos=dev-jessie/626/testReport/(root)/AclTest/)

So I close this issue.

By Jonathan Swaelens on 2018-03-14T14:36:14 (imported from GitLab)

closed

By Jonathan Swaelens on 2018-03-14T14:36:15 (imported from GitLab)

added 10m of time spent at 2018-03-14

By Jonathan Swaelens on 2018-03-14T14:36:16 (imported from GitLab)

removed To Be Tested label

By Jonathan Swaelens on 2018-03-14T14:36:16 (imported from GitLab)

added Changed label

By Côme Chilliet on 2018-03-14T15:25:03 (imported from GitLab)