-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Splitoff admin only roles for API #2616
base: main
Are you sure you want to change the base?
Conversation
webapp/config/packages/security.yaml
Outdated
@@ -3,10 +3,10 @@ | |||
security: | |||
role_hierarchy: | |||
ROLE_JURY: [ROLE_CLARIFICATION_RW, ROLE_API, ROLE_API_READER, ROLE_API_SOURCE_READER] | |||
ROLE_ADMIN: [ROLE_JURY, ROLE_JUDGEHOST, ROLE_API_WRITER] | |||
ROLE_ADMIN: [ROLE_JURY, ROLE_JUDGEHOST, ROLE_API_WRITER, | |||
ROLE_API_PROBLEM_CHANGE, ROLE_API_CONTEST_CHANGE] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think editor
would be a better suffix than change
. Also, is ROLE_API_CONTEST_CHANGE
a superset of privileges over ROLE_API_PROBLEM_CHANGE
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, a contest is a different thing from a problem as we allow problems without a contest.
final class Version20240629154640 extends AbstractMigration | ||
{ | ||
private const NEW_ROLES = ['api_problem_change' => 'API Problem Changer', | ||
'api_contest_change' => 'API Contest Changer']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have some more detailed descriptions of these roles? How do admin/API writer, contest changer and problem changer relate?
This is for an usecase like EUC where there is an Ad-Hoc group which doesn't know each other yet (or even the system). The responsibility for the upload of the problems lies with one team which does not want admin access to make sure nothing gets broken. The same for changing the contest as BAPCtools does for example. Also extended the tests for admin access to now also check for the new roles while making sure admin also keeps the rights by transitivity.
b78b35b
to
80d5b5e
Compare
public function getDescription(): string | ||
{ | ||
return "Add new roles to the database. | ||
Problem editor can add/delete/edit anything related to problems; files, testcases. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think any (end) user will read this and I think @eldering his feedback is that people now don't know what the roles do without checking the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Exactly. What the roles do should ideally be clear from the role constant names, but at least from the role descriptions .
Two questions:
If the answer is no to both of these questions, then one role |
I think BAPCtools also wants to set the contest, and the judges of EUC wanted to only import the problems and nothing else? I'm fine with merging them as its already better than admin and we can always decide to split them later if there is a real usecase.
It was for me, I rather not also have to do this in code and if you have the zips already you can also just give them to an admin. I think is is only relevant for automated tools and during the contest I wouldn't want jury members to be able to change things which they might not be aware what are the differences (testcase order etc.). So its both laziness for the amount of code changed and only giving the rights which are needed. The same distinction was made for locking a contest. |
We had this request both during EUC and this would help during next BAPC prelims where we probably ask a BAPC jury member to upload the problems already.
For the 2nd case I would personally trust that person with
admin
access but others might see that differently. Also only giving the needed access is always a good thing and given that this is easy to test I don't think this would be a real feature creep.