Project

Profile

Help

Task #9604

Updated by bmbouter about 1 year ago

## Problem 

 Now that pulpcore knows about Roles, and users can define their own, we need to allow users to manage the role assignments to specific objects and "model level" permissions. 

 ## Design 

 Create the following API calls that would be nested under any given viewset, e.g. TaskViewset. 

 * ` *` add_role` - If on a detail view, add the role the user specifies to the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, add the role the user specifies to the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. 

 * `remove_role` - If on a detail view, remove the role the user specifies from the group or groups and/or user or users the user specifies to the specific object. If not on a detail view, remove the role the user specifies from the group or gorups and/or user or users the user specifies as a model level role. The role is required. At least one group or user must be specified. If the Role does not have a permission applicable to this object type an error is expected. If no users or groups had that role no error is expected. 

 * `list_roles` - List the roles that could have at least one permission that is meaningful for this object type. 

 * `my_permissions` - If on a detail view, lists the effective object-level permissions a user has through both direct and group-based membership. If not on a detail view, lists the effective model level permissions a user has through both direct and group-based membership. 

 Create a `RoleMixin` that allows developers to add ^ endpoint to any Viewset easily. 

 ## Authorization details 

 * The developer is expected to define a new "manage permissions" permission that is specific to that object type. For example, `core.manage_roles_task` would be a reasonable name for managing the permissions of a `Task`. 

 * The developer needs to add to their access policy the specific calls to use that new permission to authorize only users who have these calls to make the calls to `list_roles`, `add_roles`, and `remove_role`. For example for `core.manage_roles_task` that would look like: 

 ``` 
             { 
                 "action": ["list_roles", "add_role", "remove_role"], 
                 "principal": "authenticated", 
                 "effect": "allow", 
                 "condition": "has_model_or_obj_perms:core.manage_roles_task", 
             }, 
 ``` 

 It is expected the drf-access-policy would allow any authenticated user to list `my_permissions`.

Back