Task #9604
Updated by bmbouter almost 3 years ago
## Problem Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions. ## Design Create the following API calls that would be nested under any given viewset, e.g. TaskViewset. * ` *` add_role` - If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. * `remove_role` - If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected. * `list_roles` - List the roles that could have at least one permission that is meaningful for this object type. * `my_permissions` - If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership. Create a `RoleMixin` that allows developers to add ^ endpoint to any Viewset easily. ## Authorization details * The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example, `core.manage_roles_task` would be a reasonable name for managing the permissions of a `Task`. * The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to `list_roles`, `add_roles`, and `remove_role`. For example for `core.manage_roles_task` that would look like: ``` { "action": ["list_roles", "add_role", "remove_role"], "principal": "authenticated", "effect": "allow", "condition": "has_model_or_obj_perms:core.manage_roles_task", }, ``` It is expected the drf-access-policy would allow any authenticated user to list `my_permissions`.