Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stricter access control for immutable models #332

Open
AlanCoding opened this issue Apr 18, 2024 · 0 comments
Open

Stricter access control for immutable models #332

AlanCoding opened this issue Apr 18, 2024 · 0 comments
Labels
api API related item app:rbac ready to work Item is ready to be worked on

Comments

@AlanCoding
Copy link
Member

We have some special "policy" logic right now for the problem of who can give another user an object role.

The current logic appears a little too permissive in the case of immutable models. Instead of normal CRUD, these may only have ('add', 'view') permissions or ('add', 'delete', 'view') permissions.

Right now, when 'change' permission is not present, we have a stop-gap rule that you can assign other users object roles if you have all the possible permissions to that object. But if the only possible permission is view... this isn't very good.

This proposal is to change the rule to:

When "change" permission is not present, "change" permission to the parent object will be required to give other users roles to that object. If no parent object exists, then only superusers can give users role to said object.
@AlanCoding AlanCoding added ready to work Item is ready to be worked on api API related item app:rbac labels Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
api API related item app:rbac ready to work Item is ready to be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AlanCoding