Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure Admin Access Controls #11

Open
jgladwig opened this issue Feb 9, 2022 · 3 comments
Open

Configure Admin Access Controls #11

jgladwig opened this issue Feb 9, 2022 · 3 comments

Comments

@jgladwig
Copy link
Collaborator

jgladwig commented Feb 9, 2022

While basic access controls currently appear to work as intended for non-admin users there are some improvements to be made. For basic users any protocol created is assigned that user as owner and any time a user requests a list of protocols they receive all of the protocols that are marked with that user as owner.

This intended behavior currently breaks down for admin users and admins receive the protocols for every user. This is likely due to some configuration flaw with our use of django-oso. Admins by default appear to have access to all protocols regardless of owner field. While this kind of behavior could one day be considered as an option for admins... right now the frontend is not built to handle receiving all protocols for all users.

The incremental step forward here would be to ensure admins only receive the protocols for which they are specifically listed as owners.

@danbryce
Copy link
Contributor

danbryce commented Feb 9, 2022 via email

@jgladwig
Copy link
Collaborator Author

jgladwig commented Feb 9, 2022

The main issue on the frontend is that it makes some assumptions that protocols have unique names. That assumption is enforced and holds true within each user's scope but that does not hold true across multiple users (User A and User B can both have a protocol named 'example'). So when an admin user sees multiple protocols of the same name it will have a key clash and display incorrectly.

Removing that assumption from the frontend and instead keying off of something that in globally unique (the protocol id) may be a fine answer.

@danbryce
Copy link
Contributor

danbryce commented Feb 10, 2022 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants