|
|
@DenisChenu, what do you think about this blocker? I think it makes sense that if you are allowed to create new users, you should also be able to assign a user role. Of course, that should exclude roles with superadmin rights. |
|
|
|
You should also be able to assign a user role
ONLY if you have all rights in this role …
User can not give more right then they already have |
|
|
|
I agree, user rights at the role need to be checked against the user's permissions. |
|
|
|
@gabrieljenik, what do you think about this issue? |
|
|
|
ONLY if you have all rights in this role …
User can not give more right then they already have
If I understand correctly, I don't agree.
What you say is that the person that assigns the roles should have at least the same access level fo the role being assigned, right?
That doens't lead to a proper separation of concerns.
If I want someone just to create users and some other person to assign them permissions, how should it with the above schema?
I am not sure this collides with other user permissions stories which are on hold. |
|
|
|
Let me explain the issue in a different way. Currently only superadmins can make use of the role feature at all. So if there are other admins responsible for creating user accounts, they can not use this helpful feature at all.
If we adjust this and allow other admins to use roles, we need to check role details first before granting them access to certain roles. Otherwise, there could be a role with all user permissions and the admin allowed to create users could create an account with all rights for himself to extend the access that was initially granted to him. |
|
|
|
I am not very aware of roles.
Still, one question that pops up...
If we adjust this and allow other admins to use roles, one thing could be to use roles. The other one to configure them.
Make sense?
there could be a role with all user permissions
Maybe the "role creation / management" sahll not be set by roles, but by permission?
That way, someone may use roles but not update them. |
|
|
|
User can not give more right then they already have
If I understand correctly, I don't agree.
What you say is that the person that assigns the roles should have at least the same access level fo the role being assigned, right?
The reason here was If you allow an user to create user but disallow to update all surveys : there are a reason.
If you don' check if current user have all roles permission what can happen:
- The user create NEWUSER (with an email of him)
- User give roles "ALLSURVEYMANGEMENT" to NEWUSER
- User log in as NEWUSER and can update all surveys.
I really understand finally why roles can be set only by superadmins … |
|
|
|
Correct, @DenisChenu - On the one hand it makes sense that only superadmins can use roles. On the other hand the feature is not available to common users with create user rights. |
|
|
|
Yes …
But i don't know the precise specifications for roles feature ;)
Maybe a list of roles allowed by user ? |
|
|
|
Please remind me ...
Right now, someone that has user creation permissions can create a user with permissions to access almost everything right?
If so, then, the possibility of someone creating a non-desired very powerfull user already exists.
For me, the roles and users should be able to be handled separately.
That means, there should be the possibility of having separation of concerns: Someone that create users shall not be able to create roles.
To achieve that we could add:
1 - A specific permission to handle roles. Right now, there is not. (or I missed it)
2 - A specific permission (or other way) to NOT have users to assign individual global permissions
One way is through a "permissions" permission
Thoughts? |
|
|
|
Right now, someone that has user creation permissions can create a user with permissions to access almost everything right?
No : he can not give permission if he don't have permission
See [edit bad link] https://github.com/LimeSurvey/LimeSurvey/blob/b1d4dbd53114ac6b082f88a0ce023a15aa38cab4/application/models/Permission.php#L285
If so, then, the possibility of someone creating a non-desired very powerfull user already exists.
No, it was fixed a long time ago, and refixed in 4.0.beta if i remind.
then my Thought : we must really avoid user to give more rights they already have !
[Edit ]
For Survey and SurveyGroups (and other models in future)
- Checkbox is disable if current user didn't have permission : https://github.com/LimeSurvey/LimeSurvey/blob/b1d4dbd53114ac6b082f88a0ce023a15aa38cab4/application/models/services/PermissionManager.php#L77
- User can not update Permission if he don't have it : https://github.com/LimeSurvey/LimeSurvey/blob/b1d4dbd53114ac6b082f88a0ce023a15aa38cab4/application/models/services/PermissionManager.php#L138 (can NOT remove permission too).
|
|
|
|
we must really avoid user to give more rights they already have !
According to he can not give permission if he don't have permission, then it is already done.
But thinking on roles, if there is a role for a powerfull user, then someone could use it and create a user with it.
Maybe we could have some roles only to be assigned by users with a different permission?
It would be like having a "reserved" flag on roles, which would make them available to specific users.
Another alternative?
Having a 2nd authorization and a time delay when assigning specific roles.
But this should be a common topic.
How is this handled on other systems?
From the top of my head, the issue is usually handled not by limiting user creation or permission assignment, but by logging what each user does and who created the user. |
|
|
|
Another idea (not sure if bright):
Permission over user creation, permission management and roles can only be given by super admin? |
|
|
|
According to he can not give permission if he don't have permission, then it is already done.
Yes, currently. But allow user to set roles is an update here.
Maybe we could have some roles only to be assigned by users with a different permission?
A new settings on roles «Can be set by user without superadmin rights» and a BIG warning. It think it's OK :+1:
Maybe we could have some roles only to be assigned by users with a different permission?
I don't understand here ?
Permission over user creation, permission management and roles can only be given by super admin?
Currently we have
- User with User creation permission
- Can give permission they have to created user (if they can update)
- Roles are limited to superamin (read) user.
|
|
|
|
I like this idea:
A new settings on roles «Can be set by user without superadmin rights» and a BIG warning |
|
|
|
Should this be moved to feature request? |
|
|
|
I tend to say it is a bug (Currently only superadmins can make use of the role feature at all.) because otherwise a fix will never be implemented ;-) |
|
