Give more control over snapshot permission

Descriptive title for this enhancement

Have the possibility to restrain the snapshot permission in another way than only reading / writing all in ACL.

Actual behavior

Actually the user need the right to read and write overall in the branch to make / restore a snapshot. It's ok when the user have full rights on the branch but it doesn't work in restrain rights. Example if a user may edit only some fields in a branch but want use snapshot.

Expected behavior

Have a better way to let a users make snapshot and restore them.

Step by step description of new behaviour

Give right to only make and restore snapshot without looking at the permission of the user.

changed milestone to %FusionDirectory 1.3

By Jonathan Swaelens on 2017-12-08T14:28:50 (imported from GitLab)

hello,

yes easy solution, but it means that snapshot will have to handle that internally as bypassing acl is generaly not a good idea. i'am a bit uneasy with stuff that don't go through our acl systems

Cheers

By bmortier on 2017-12-08T14:35:52 (imported from GitLab)

added 10m of time spent at 2017-12-08

By bmortier on 2017-12-08T14:36:01 (imported from GitLab)

This could be done a bit like what was done for templates, add ACLs objects "snapshot" in each category.

By Côme Chilliet on 2018-01-04T08:44:25 (imported from GitLab)

hello,

yes i agree, we need acl snaphot in each category

Cheers

By bmortier on 2018-01-04T12:51:59 (imported from GitLab)

added 5m of time spent at 2018-01-04

By bmortier on 2018-01-04T12:52:11 (imported from GitLab)

assigned to @MCMic and unassigned @bmortier

By Côme Chilliet on 2018-01-16T15:55:25 (imported from GitLab)

So, if we add snapshot in each category, these will get RWCMD rights.

• Read means the right to see and list snapshots
• Write does not seem to apply to snapshots
• Create would be the right to take (full) snapshots
• Move does not apply
• Delete would be the right to delete snapshots

But what ACL rights would be needed in order to be able to restore a snapshot? Should the right to restore snapshot of existing objects and of deleted objects be separated?

We can add ACL fields in the snapshot ACL class and those will have RW rights. So maybe a field «restore» which needs Write to allow restore? (or restore_new and restore_over if we need to split)

By Côme Chilliet on 2018-01-25T10:49:53 (imported from GitLab)

@MCMic yes the right to restore snapshot of existing objects and of deleted objects should be separated.

as @jswaelens stated the snapshot acl are like the rest of the acl, added to others acl to restrict to which objet the user can do read/create/delete.

By bmortier on 2018-01-25T09:17:53 (imported from GitLab)

added 20m of time spent at 2018-01-25

By bmortier on 2018-01-25T09:18:58 (imported from GitLab)

created branch 5743-give-more-control-over-snapshot-permission

By Côme Chilliet on 2018-01-25T13:30:21 (imported from GitLab)

mentioned in merge request !112

By Côme Chilliet on 2018-01-25T13:30:22 (imported from GitLab)

mentioned in commit ff3918ab

By Côme Chilliet on 2018-01-25T13:32:53 (imported from GitLab)

mentioned in issue fd-plugins#5772 (closed)

By Côme Chilliet on 2018-01-25T13:36:14 (imported from GitLab)

added To Be Tested label

By Côme Chilliet on 2018-01-31T11:23:56 (imported from GitLab)

removed technical discussion label

By bmortier on 2018-02-05T08:34:38 (imported from GitLab)

added ~593 label

By Côme Chilliet on 2018-02-12T10:02:31 (imported from GitLab)

I just add the snapshot rights in an acl role when I manage users an acl but when I try to create a snapshot from an user, I cannot fill the "reason" of the snapshot.

My aclrole ldif is the following one

cn=users-management,ou=aclroles
createTimestamp 	2018-01-30 11:12:10
modifyTimestamp 	2018-02-27 17:02:14
objectClass 	top
objectClass 	gosaRole
cn 	users-management
description 	Users Management - Create roles and assign users to roles - Read and write users - Create roles group from user
gosaAclTemplate 	0:role/roleGeneric;cdrw
gosaAclTemplate 	1:dashboard/dashboard;r
gosaAclTemplate 	2:acl/aclAssignmentDialogWindow;cdrw,acl/aclAssignment;cdrw
gosaAclTemplate 	3:user/userRoles;cdrw#rolesMembership;rw,user/SnapshotHandler;cdr,user/user;rw,department/department;#description;rw

By Jonathan Swaelens on 2018-02-27T16:34:58 (imported from GitLab)

added 10m of time spent at 2018-02-27

By Jonathan Swaelens on 2018-02-27T16:34:58 (imported from GitLab)

user/SnapshotHandler;cdr

Seems like the role has no write right indeed. Can you try adding it? (result should be user/SnapshotHandler;cdrw)

By Côme Chilliet on 2018-03-06T08:47:23 (imported from GitLab)

added 10m of time spent at 2018-03-06

By Côme Chilliet on 2018-03-06T08:47:54 (imported from GitLab)

added 1h 20m of time spent at 2018-03-06

By Jonathan Swaelens on 2018-03-06T10:06:26 (imported from GitLab)

created branch 5743-give-more-control-over-snapshot-permission

By Côme Chilliet on 2018-03-06T11:38:26 (imported from GitLab)

mentioned in merge request !155

By Côme Chilliet on 2018-03-06T11:38:29 (imported from GitLab)

mentioned in commit 939c0904

By Côme Chilliet on 2018-03-06T11:39:40 (imported from GitLab)

added 1h of time spent at 2018-03-06

By Côme Chilliet on 2018-03-06T11:41:26 (imported from GitLab)

I have an error after the next steps.

• I click on the icon to make a snapshot
• I fill the reason
• When I validate it say the reason is not filled

By Jonathan Swaelens on 2018-03-07T10:00:54 (imported from GitLab)

added 10m of time spent at 2018-03-07

By Jonathan Swaelens on 2018-03-07T10:00:55 (imported from GitLab)

removed To Be Tested label

By Jonathan Swaelens on 2018-03-07T10:00:55 (imported from GitLab)

created branch 5743-give-more-control-over-snapshot-permission

By Côme Chilliet on 2018-03-07T10:10:29 (imported from GitLab)

mentioned in merge request !156

By Côme Chilliet on 2018-03-07T10:10:30 (imported from GitLab)

mentioned in commit 8e088c0e

By Côme Chilliet on 2018-03-07T10:59:38 (imported from GitLab)

Please test also snapshot restore as I fear it will need the same kind of fix.

By Côme Chilliet on 2018-03-07T13:04:24 (imported from GitLab)

added 1h of time spent at 2018-03-07

By Côme Chilliet on 2018-03-07T13:04:24 (imported from GitLab)

added To Be Tested label

By Côme Chilliet on 2018-03-07T13:04:24 (imported from GitLab)

Hello, I just tested to restore a snapshot and it looks like nothing happenned.

• I click on restore icon
• I choice the snapshot
• I come back on the same page like nothing happend and when I quit the snapshot is not restored

By Jonathan Swaelens on 2018-03-07T16:19:57 (imported from GitLab)

added 30m of time spent at 2018-03-07

By Jonathan Swaelens on 2018-03-07T16:19:57 (imported from GitLab)

removed To Be Tested label

By Jonathan Swaelens on 2018-03-07T16:20:07 (imported from GitLab)

created branch 5743-give-more-control-over-snapshot-permission

By Côme Chilliet on 2018-03-08T09:00:52 (imported from GitLab)

mentioned in merge request !157

By Côme Chilliet on 2018-03-08T09:00:54 (imported from GitLab)

mentioned in commit c5657faf

By Côme Chilliet on 2018-03-08T09:03:29 (imported from GitLab)

added 40m of time spent at 2018-03-08

By Côme Chilliet on 2018-03-08T09:06:38 (imported from GitLab)

added To Be Tested label

By Côme Chilliet on 2018-03-08T09:46:47 (imported from GitLab)

Hello, it's working but I think I have find a possible issue.

• I make a snapshot as manager
• I an attribut that manager cannot modify (example privateMail)
• Manager do some modifications and restore the snapshot
• The object lost the privateMail

By Jonathan Swaelens on 2018-03-12T13:59:16 (imported from GitLab)

added 1h of time spent at 2018-03-12

By Jonathan Swaelens on 2018-03-12T13:59:17 (imported from GitLab)

removed To Be Tested label

By Jonathan Swaelens on 2018-03-12T13:59:17 (imported from GitLab)

added ~590 label

By bmortier on 2018-03-26T08:23:19 (imported from GitLab)

This is on purpose, this is why we split snapshot ACL as something separated, so that users can give snapshot rights to people which do not have the rights to edit all fields.

By Côme Chilliet on 2018-03-27T09:43:07 (imported from GitLab)

added technical discussion label

By bmortier on 2018-06-15T13:42:56 (imported from GitLab)

added To Be Tested label

By bmortier on 2018-06-15T13:43:02 (imported from GitLab)

added user-manual label

By Jonathan Swaelens on 2018-06-19T13:41:07 (imported from GitLab)