Task #9604
closedAs a developer, I can easily add add/remove/list Roles to my viewsets
100%
Description
Problem¶
Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions.
Design¶
Create the following API calls that would be nested under any given viewset, e.g. TaskViewset.
-
add_role
- If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. -
remove_role
- If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected. -
list_roles
- List the roles that could have at least one permission that is meaningful for this object type. -
my_permissions
- If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership.
Create a RoleMixin
that allows developers to add ^ endpoint to any Viewset easily.
Authorization details¶
-
The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example,
core.manage_roles_task
would be a reasonable name for managing the permissions of aTask
. -
The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to
list_roles
,add_roles
, andremove_role
. For example forcore.manage_roles_task
that would look like:
{
"action": ["list_roles", "add_role", "remove_role"],
"principal": "authenticated",
"effect": "allow",
"condition": "has_model_or_obj_perms:core.manage_roles_task",
},
It is expected the drf-access-policy would allow any authenticated user to list my_permissions
.
Updated by pulpbot about 3 years ago
- Status changed from NEW to POST
Updated by pulpbot about 3 years ago
Updated by bmbouter about 3 years ago
- Assignee set to mdellweg
- Sprint set to Sprint 111
Updated by pulpbot about 3 years ago
Added by mdellweg about 3 years ago
Added by mdellweg about 3 years ago
Revision c1b2f39e | View on GitHub
Add RolesMixin for viewsets
This mixin provides endpoints to assign and revoke roles on objects to users or groups.
fixes #9604
Added by mdellweg about 3 years ago
Revision 1e8203f0 | View on GitHub
Add RolesMixin to group view set
re #9604
Updated by mdellweg about 3 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulpcore|c1b2f39ea1198f079110ca532b23b129f34a9280.
Updated by pulpbot about 3 years ago
Added by mdellweg about 3 years ago
Revision d559a8e2 | View on GitHub
Fix erroneous permission in group access policy
re #9604
Updated by pulpbot about 3 years ago
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
Fix up Group proxy model
re #9604