You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
We have "client-power-users" who are able to create and edit users and roles for the client but not globally.
We assign these users the client authorities
deleteRole_clientAssignable
editRole_clientAssignable
addRole_clientAssignable
but not the corresponding global authorities.
However, these users are still able to assign global authorities to roles.
Not sure if this should be classified as a bug, but to me it does not seem to be the desired behaviour.
To Reproduce
Steps to reproduce the behavior:
Create a User with client authortiy to edit roles.
Log in as this user.
Edit a role.
You are able to add global authorities to the user.
Expected behavior
A user with only the client authority for editing roles should not be able to add global authorities to a role. As a solution a check for the global edit role authority could be added to roleEdit/details.xhtml. If the user only has the client authority, the global authorties should not be shown.
Release
3.5.0
The text was updated successfully, but these errors were encountered:
pontus-osterdahl
changed the title
User without only client authority to edit roles can still add global authorities to role
User with only client authority to edit roles can still add global authorities to role
Nov 22, 2023
Describe the bug
We have "client-power-users" who are able to create and edit users and roles for the client but not globally.
We assign these users the client authorities
deleteRole_clientAssignable
editRole_clientAssignable
addRole_clientAssignable
but not the corresponding global authorities.
However, these users are still able to assign global authorities to roles.
Not sure if this should be classified as a bug, but to me it does not seem to be the desired behaviour.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
A user with only the client authority for editing roles should not be able to add global authorities to a role. As a solution a check for the global edit role authority could be added to
roleEdit/details.xhtml
. If the user only has the client authority, the global authorties should not be shown.Release
3.5.0
The text was updated successfully, but these errors were encountered: